The Rising Threat Of Biometric Breaches & Stolen Data

Uploaded on 2025-01-23 in FREE TO VIEW

Security technology has improved significantly in recent years, with protective solutions such as multi-factor authentication and biometric security, which are key to personal and professional digital protection, now commonplace. However, just as security continues to evolve, so too do the methods that threat actors use as they seek to overcome and exploit those very same systems.

Today, biometric data is increasingly in the sights of criminals as they strive to steal and use incredibly personal data and devices against targets.

From imprinting a fingerprint from someone's glass to pointing a stolen phone at the owner's face for facial recognition, security measures on daily devices can be bypassed in a variety of relatively basic ways, enabling attackers to wreak untold havoc against an individual.

Similarly, wearable devices such as smartwatches and fitness trackers are also prime targets because of the intricate financial, health, and location data that they contain. Not only are these attractive because of their ability to now double as 'tap-to-pay' payment tools. Equally, by analysing wearable usage patterns, criminals may be able to use key data against their victims.

Think about a high-net-worth individual. If a criminal can steal their wearable data and see that they attend a fitness class every Tuesday between 6:30 pm and 7:30 pm, they'll know the perfect time to break into their car or property. With that said, it's not just individuals at risk of compromise. Organisations are also at risk of biometric data theft – attacks that can have significant consequences.

This is nothing new. Back in April 2015, for example, the United States Office of Personnel Management (OPM) was subject to a breach in which threat actors stole the fingerprint data of more than 5.6 million US government workers. Such breaches are particularly problematic; biometric data can't be altered, unlike passwords. However, in the case of the OPM incident, there is some good news in the fact that security technology has changed how it interacts with biometric data.

When it was discovered that you could print a photo of someone's face to overcome facial recognition security, additional measures, such as infrared scanners that look for heat signatures and liveness detection, were added to improve the technology's effectiveness. Similar improvements have been made across other biometric security systems over time.

In this sense, biometric data stolen 10 years ago may not be sufficient to exploit modern systems. However, that is not to say that stolen biometric data doesn't present significant problems. Today, there are other threats to consider.

How Biometric Data Could Exacerbate The Deepfake Threat

The advent of AI in a threat context is particularly relevant, with stolen biometric data potentially capable of enabling threat actors to create even more convincing deepfakes.

Significant concerns have been voiced here. The latest Global Identity Fraud Report by AU10TIX reveals that while selfies have traditionally been considered a reliable method for biometric authentication measures—such as know-your-customer (KYC) procedures, which allow banks and financial institutions to confirm the identity of organisations and individuals they do business with - deepfakes could make such measures redundant.

The threats are immense. Back in 2020, one threat actor managed to steal $35 million by using AI to replicate a company director's voice and deceive a bank manager. Similarly, in January 2024, a finance employee at British engineering firm Arup fell victim to a $25 million scam after a video call with a 'deepfake chief financial officer'.

Deepfakes are no longer a theoretical threat but a present-day reality that enterprises must confront.

Data from our 2024 State of Information Security Report shows that nearly a third (32%) of UK businesses reported experiencing a deepfake security incident in the past year, making it the country's second most common type of information security breach.

Biometric and wearable data could potentially help threat actors create even more convincing deepfakes and hone their spear phishing attempts, so protecting it is absolutely critical.

Businesses, Consumers, Manufacturers & Regulators Can All Play Their Part

So, what can be done to safeguard individuals and businesses alike from this type of threat?

  • First, individuals themselves should be cognisant of their devices' security, working to create multiple layers of defences that might include the use of facial recognition and strong, regularly updated pins/passwords alongside fingerprint security.
  • As part of this, consumers and businesses alike should consider the security capabilities provided by device manufacturers, opting to go with those that have made device protection a priority and have robust syncing and authentication systems.
  • Manufacturers should also align with key principles of GDPR, such as data minimisation practices, which ensure that they only collect and hold the data needed to deliver an effective service.
  • In instances where that data is needed, pseudonymisation should be adopted to disaggregate biometric data from the individual. As a result, even if a threat actor does successfully steal the fingerprint data of thousands of individuals, they won't know who each fingerprint belongs to, rendering that data almost redundant.
  • Encrypting data at rest and in transit is also important for the same reason - if that data is compromised, it's much harder for threat actors to exploit it.

Additionally, we're increasingly seeing regulators play a growing role in ensuring that the right protections are in place. Take the EU AI Act, for example - while the legislation remains relatively new, the act seeks to prohibit "the use of 'real-time' remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement."

Meanwhile, under the HIPAA Security Rule (2009) in the US, organisations must safeguard Protected Health Information (PHI), with wearables and smart devices increasingly being used to collect PHI. And, in 2021, Facebook was forced to pay $650m for violating Illinois privacy law, allegedly using photo face-tagging and other biometric data without the permission of its users.

What  To Do If Your Biometric Or Wearable Data Is Stolen

It is important that regulators, manufacturers, and users (both corporations and consumers alike) continue to take the necessary measures to protect key biometric and wearable data, with threat actors likely to ramp up such attacks in 2025.

From a technology point of view, we're going to see more AI-powered hacking this year, with increasingly capable devices also becoming attractive to threat actors to use against victims.

But what would happen if someone should get their hands on this data and these devices? The key is not to panic. Yes, it may be that your fingerprint data is compromised, yet with a multi-layered security strategy, those other layers, such as multi-factor authentication, should do their job in preventing access to key devices, accounts, and systems.

For businesses subject to major attacks, it is vital to follow the correct compliance procedures, report any breaches to the relevant supervisory body, such as the ICO, and take action and implement pre-planned incident management crisis response protocols.

Beyond that, it is again a case of accepting that part of your authentication process can't be trusted fully, which should in turn trigger a risk assessment. You might decide that the asset you're protecting is not that important, and you're willing to take the risk, or that additional layers of protection need to be implemented to compensate for this potential compromise.

For guidance on what to do, it is worthwhile looking to proven standards that can help you adopt best practices. ISO 27001, for example, can help organisations find reputable suppliers and manage their approaches to authentication.

These standards already document such crucial steps, making them a strong first port of call for helping enterprises combat the risks associated with biometric and wearable data theft. 

Sam Peters is Chief Product Officer at ISMS.online

Image: 

You Might Also Read: 

Four Evolving Trends Every Business Leader Should Be Aware Of:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 


 

« Cyber Threat Forecast 2025 Part One - North America
Stargate - A Big Bet On AI Infrastructure »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Quality Professionals (Q-Pros)

Quality Professionals (Q-Pros)

QPros are a recognized leader in providing full-cycle software quality assurance and application testing services.

LogonBox Software

LogonBox Software

LogonBox Software specialises in producing a cost-effective range of Network Security and Identity Management software solutions for all sizes of Enterprise.

Norwegian Center for Information Security (NorSIS)

Norwegian Center for Information Security (NorSIS)

NorSIS) is an independent organization that works to increase knowledge and understanding of information security for businesses and individuals.

Awen Collective

Awen Collective

Awen Collective develops software-based tools for performing Digital Forensics, Incident Response and Cyber-Crime Investigation.

Redshift Consulting

Redshift Consulting

Redshift is an information management and information security consulting company offering a full range of services from infrastructure design to security assessments and network monitoring.

Corvus Insurance

Corvus Insurance

Corvus' mission is to create a safer, more productive world through technology-enabled commercial insurance.

Tenzir

Tenzir

Tenzir's primary focus lies on network forensics: the systematic investigation of cyber attacks with big data analytics.

Verificient Technologies

Verificient Technologies

Verificient Technologies specializes in biometrics, computer vision, and machine learning to deliver world-class solutions in continuous identity verification and remote monitoring.

CyberClan

CyberClan

CyberClan’s carefully selected team of experts is capable of solving complex cyber security challenges – keeping your data secure and your businesses running as usual.

Prima Cyber Solutions (PCS)

Prima Cyber Solutions (PCS)

Prima Cyber Solutions is focused on protecting your business from the massive and devastating impacts that cyber-attacks may cause.

Seigur

Seigur

Seigur is an IT consultancy business providing flexible legal and cyber security services for IT and data privacy programmes.

CrossCountry Consulting

CrossCountry Consulting

CrossCountry Consulting is a trusted business advisory firm that provides customized finance, accounting, human capital management, risk, operations and technology consulting services.

AI Spera

AI Spera

AI-Driven Cyber Threat Intelligence Security. AI Spera provides real-time intelligence to empower your security competences in all aspects of the business.

Tryaq

Tryaq

Tryaq are a group of cybersecurity experts and enthusiasts who share the mission to make the world feel safer online.

SCS Technology Solutions

SCS Technology Solutions

SCS Technology Solutions has become the preferred partner for top performing organisations across Lincolnshire for IT support and consultancy.

Grey Market Labs

Grey Market Labs

Grey Market Labs is a special place. It is a data privacy and security skunkworks.