Hacked for life: Why you should be terrified by biometric technology

Unless our apathy towards data protection changes, we may soon lose something we can’t replace

biometric data theft finger print

"The biometric data, unencrypted passwords, and personal data of over one million people have been discovered sitting on a publicly accessible database belonging to a company that serves the likes of the UK Metropolitan Police and banking groups."

Those were the familiar words I typed out as part of my coverage of the Biostar 2 data breach. It's the same narrative I've seen hundreds, if not thousands, of times since becoming a technology journalist in my numbness I even entertained the idea that one million wasn't too bad.

But the Biostar 2 incident is perhaps the most unique security lapse I've come across in my three years at IT Pro. Not because of how it was discovered, nor because of how many were affected. The security lapse itself is even quite common.

What's uniquely terrifying about this breach is the nature of the data that was stolen.

Data breaches and hacks have become so common now that they fail to spark the same outrage they once did. That's not to say people don't get angry when they see a national airline exposing data to the world, or a massively popular social network improperly sharing information to third parties. Yet, for all that initial vitriol, the story disappears soon after. The number of those affected is usually difficult to conceptualise and, by extension, relate to. The privacy impact on each customer also varies significantly.

The initial buzz around the headline is usually followed by the release of fixes, process improvements, and the occasional lawsuit, only for attention to eventually turn elsewhere. Only very rarely does a data incident reverberate in the minds of the public. Facebook's Cambridge Analytica scandal comes to mind. Yet for most, we forget.

And that's ok.

The reason we forget is that the data itself is mercurial. The likes of passwords, email addresses, ID numbers, web history, and user preferences, while unique to each of us, can all be changed relatively easily or at least can go out of date quickly. Financial data theft, of course, can be more damaging but, again, cards can be cancelled and security numbers scrapped. It's also true that data theft for the majority of us usually translates into the odd dodgy phishing scam; often hilarious, always dismissed.

There's also the derision that accompanies scams that exploit password reuse. Those of us that turn to password managers, mainly so that we can fire and forget whenever we sign up to a new service, can be safe in the knowledge that it's those who are uninformed or lazy in their approach to security that will feel the brunt of most hacks.

But the Biostar 2 data leak exposed us all to something a little more sinister and, I would argue, is one of the most serious vulnerabilities ever discovered. Here we had raw, non-hashed fingerprint data and facial scans sat on a vulnerable database, information that is entirely unique and (outside experimental surgery) can't be changed. We've all resigned ourselves to the fact that companies will slip up when it comes to data protection, but when that extends to the very data that makes us individuals, serious questions need to be addressed.

The incident will certainly have implications for the biometrics industry. The drive to go passwordless may improve user security and user experience, but there seems to be little consideration as to how much more sophisticated data collection and storage will need to be as a result. In fact, many companies, including previously respected household names, have demonstrated unprecedented incompetency when handling our data, and it's time we started taking that seriously.

We have to question whether we should allow software vendors to continue to digitise more and more of our immutable personal information in the pursuit of state of the art services, many of which are entirely unnecessary.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type

How to find RAM speed, size and type

8 Apr 2021
Roadmap 2021: What’s coming from 3CX
Advertisement Feature

Roadmap 2021: What’s coming from 3CX

30 Mar 2021