The Rising Threat Of Biometric Breaches & Stolen Data

Security technology has improved significantly in recent years, with protective solutions such as multi-factor authentication and biometric security, which are key to personal and professional digital protection, now commonplace. However, just as security continues to evolve, so too do the methods that threat actors use as they seek to overcome and exploit those very same systems.

Today, biometric data is increasingly in the sights of criminals as they strive to steal and use incredibly personal data and devices against targets.

From imprinting a fingerprint from someone's glass to pointing a stolen phone at the owner's face for facial recognition, security measures on daily devices can be bypassed in a variety of relatively basic ways, enabling attackers to wreak untold havoc against an individual.

Similarly, wearable devices such as smartwatches and fitness trackers are also prime targets because of the intricate financial, health, and location data that they contain. Not only are these attractive because of their ability to now double as 'tap-to-pay' payment tools. Equally, by analysing wearable usage patterns, criminals may be able to use key data against their victims.

Think about a high-net-worth individual. If a criminal can steal their wearable data and see that they attend a fitness class every Tuesday between 6:30 pm and 7:30 pm, they'll know the perfect time to break into their car or property. With that said, it's not just individuals at risk of compromise. Organisations are also at risk of biometric data theft – attacks that can have significant consequences.

This is nothing new. Back in April 2015, for example, the United States Office of Personnel Management (OPM) was subject to a breach in which threat actors stole the fingerprint data of more than 5.6 million US government workers. Such breaches are particularly problematic; biometric data can't be altered, unlike passwords. However, in the case of the OPM incident, there is some good news in the fact that security technology has changed how it interacts with biometric data.

When it was discovered that you could print a photo of someone's face to overcome facial recognition security, additional measures, such as infrared scanners that look for heat signatures and liveness detection, were added to improve the technology's effectiveness. Similar improvements have been made across other biometric security systems over time.

In this sense, biometric data stolen 10 years ago may not be sufficient to exploit modern systems. However, that is not to say that stolen biometric data doesn't present significant problems. Today, there are other threats to consider.

How Biometric Data Could Exacerbate The Deepfake Threat

The advent of AI in a threat context is particularly relevant, with stolen biometric data potentially capable of enabling threat actors to create even more convincing deepfakes.

Significant concerns have been voiced here. The latest Global Identity Fraud Report by AU10TIX reveals that while selfies have traditionally been considered a reliable method for biometric authentication measures—such as know-your-customer (KYC) procedures, which allow banks and financial institutions to confirm the identity of organisations and individuals they do business with - deepfakes could make such measures redundant.

The threats are immense. Back in 2020, one threat actor managed to steal $35 million by using AI to replicate a company director's voice and deceive a bank manager. Similarly, in January 2024, a finance employee at British engineering firm Arup fell victim to a $25 million scam after a video call with a 'deepfake chief financial officer'.

Deepfakes are no longer a theoretical threat but a present-day reality that enterprises must confront.

Data from our 2024 State of Information Security Report shows that nearly a third (32%) of UK businesses reported experiencing a deepfake security incident in the past year, making it the country's second most common type of information security breach.

Biometric and wearable data could potentially help threat actors create even more convincing deepfakes and hone their spear phishing attempts, so protecting it is absolutely critical.

Businesses, Consumers, Manufacturers & Regulators Can All Play Their Part

So, what can be done to safeguard individuals and businesses alike from this type of threat?

  • First, individuals themselves should be cognisant of their devices' security, working to create multiple layers of defences that might include the use of facial recognition and strong, regularly updated pins/passwords alongside fingerprint security.
  • As part of this, consumers and businesses alike should consider the security capabilities provided by device manufacturers, opting to go with those that have made device protection a priority and have robust syncing and authentication systems.
  • Manufacturers should also align with key principles of GDPR, such as data minimisation practices, which ensure that they only collect and hold the data needed to deliver an effective service.
  • In instances where that data is needed, pseudonymisation should be adopted to disaggregate biometric data from the individual. As a result, even if a threat actor does successfully steal the fingerprint data of thousands of individuals, they won't know who each fingerprint belongs to, rendering that data almost redundant.
  • Encrypting data at rest and in transit is also important for the same reason - if that data is compromised, it's much harder for threat actors to exploit it.

Additionally, we're increasingly seeing regulators play a growing role in ensuring that the right protections are in place. Take the EU AI Act, for example - while the legislation remains relatively new, the act seeks to prohibit "the use of 'real-time' remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement."

Meanwhile, under the HIPAA Security Rule (2009) in the US, organisations must safeguard Protected Health Information (PHI), with wearables and smart devices increasingly being used to collect PHI. And, in 2021, Facebook was forced to pay $650m for violating Illinois privacy law, allegedly using photo face-tagging and other biometric data without the permission of its users.

What  To Do If Your Biometric Or Wearable Data Is Stolen

It is important that regulators, manufacturers, and users (both corporations and consumers alike) continue to take the necessary measures to protect key biometric and wearable data, with threat actors likely to ramp up such attacks in 2025.

From a technology point of view, we're going to see more AI-powered hacking this year, with increasingly capable devices also becoming attractive to threat actors to use against victims.

But what would happen if someone should get their hands on this data and these devices? The key is not to panic. Yes, it may be that your fingerprint data is compromised, yet with a multi-layered security strategy, those other layers, such as multi-factor authentication, should do their job in preventing access to key devices, accounts, and systems.

For businesses subject to major attacks, it is vital to follow the correct compliance procedures, report any breaches to the relevant supervisory body, such as the ICO, and take action and implement pre-planned incident management crisis response protocols.

Beyond that, it is again a case of accepting that part of your authentication process can't be trusted fully, which should in turn trigger a risk assessment. You might decide that the asset you're protecting is not that important, and you're willing to take the risk, or that additional layers of protection need to be implemented to compensate for this potential compromise.

For guidance on what to do, it is worthwhile looking to proven standards that can help you adopt best practices. ISO 27001, for example, can help organisations find reputable suppliers and manage their approaches to authentication.

These standards already document such crucial steps, making them a strong first port of call for helping enterprises combat the risks associated with biometric and wearable data theft. 

Sam Peters is Chief Product Officer at ISMS.online

Image: 

You Might Also Read: 

Four Evolving Trends Every Business Leader Should Be Aware Of:


If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 


 

« Cyber Threat Forecast 2025 Part One - North America
Stargate - A Very Big Bet On AI Infrastructure »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CrowdStrike

CrowdStrike

CrowdStrike is a global provider of security technology and services focused on identifying advanced threats and targeted attacks.

Norton Rose Fulbright

Norton Rose Fulbright

Norton Rose Fulbright is a global business law firm. Practice areas include Data protection, Privacy and Cybersecurity.

Wise-Mon

Wise-Mon

Wise-Mon is expert in its field of network monitoring and control. We give solutions to huge organizations with tens of thousands of ports, as well as small companies with one switch.

Agility Networks

Agility Networks

Agility Networks is a technology company providing integrated services and solutions for Digital Transformation and Cyber Security.

BlackCloak

BlackCloak

BlackCloak provides Concierge Cyber Security for high-net-worth individuals and corporate executives to protect them from cybercrime, reputational risks, hacking and identity theft.

CyVolve

CyVolve

Cyvolve is the next great leap forward in data security, ensuring constant encryption and pervasive control over all your data.

Genius Guard

Genius Guard

Genius Guard specializes in DDoS Protection, DDoS Protected Webhosting, HYIP Hosting, Bitcoin Hosting, Cryptocurrency Hosting.

Vijilan Security

Vijilan Security

Vijilan provides 24/7 SOC services to MSPs/VARs. Our Security Operations Center is global, and our services are exclusive to the Channel.

Turnkey Consulting

Turnkey Consulting

Turnkey Consulting is a leading provider of Integrated Risk Management (IRM), Identity Access Management (IAM), and Cyber and Application Security.

UK Cyber Security Association (UKCSA)

UK Cyber Security Association (UKCSA)

The UK Cyber Security Association (UKCSA) is a membership organisation for individuals and organisations who actively work in the cyber security industry.

Sikich

Sikich

Sikich LLP is a leading professional services firm specializing in accounting, advisory, technology and managed services.

PolySwarm

PolySwarm

PolySwarm is a crowdsourced threat intelligence marketplace that provides a more effective way to detect, analyze and respond to the latest threats.

Blattner Technologies

Blattner Technologies

Blattner Technologies mission is to be the leading provider of predictive transformation services and tools in the Data Analytics, Artificial Intelligence and Machine Learning industry.

Illustria

Illustria

Illustria is your agent-less “watchdog” for all open source libraries. Our mission is becoming a dev-velocity company, enabled via cyber security.

US Insider Risk Management Center of Excellence (US-InRM)

US Insider Risk Management Center of Excellence (US-InRM)

The US-InRM Center of Excellence is a nonprofit organization dedicated to promoting private, public, and academic partnerships to foster knowledge sharing and resources to mitigate insider risk.

Boldend

Boldend

Boldend offers leading-edge offensive and defensive cybersecurity solutions that empower government and commercial organizations to stay resilient in an evolving threat landscape.