Navigating Biometric Data Security Risks in the Digital Age
The use of biometrics is increasingly common for authentication, and organizations must make sure their data security solutions protect what may be a new goldmine for hackers.
COMMENTARY
Although it wasn't called biometrics at the time, a rudimentary form of the technology emerged in 1901 when Scotland Yard adopted fingerprint classification to identify criminal suspects. The biometrics field has come a long way in the more than 120 years since then.
Public and private sector organizations now use it to identify and authenticate individuals to grant access to computer systems, such as laptops and tablets, and enterprise applications such as human resources or customer relationship management systems. Apple adopted biometrics to unlock the iPhone in 2013, and today face ID is a common feature on mobile phones. The Mastercard Biometric Card combines chip technology with fingerprints to verify the cardholder's identity for in-store purchases. Healthcare organizations also use biometrics to verify individuals to determine access to medical care. This is particularly useful if the patient can't produce other forms of identification.
With biometric devices part of the growing body of data-bearing devices deployed across multiple sectors, including government agencies and the military, organizations looking to use this technology must make sure their data security solutions protect what may be a new goldmine for hackers.
DoD Details Biometrics Data Risks
The US government is now fully aware of the potential danger of biometrics data breaches: The Inspector General (IG) of the US Department of Defense (DoD) released a report in November 2023 revealing significant gaps in security and management of biometric data within the DoD. These gaps may pose risks to personnel and potentially threaten clandestine operations. According to the IG's report, the DoD's use of biometric data has been extensive, particularly in areas of conflict where accurately identifying individuals is critical for security operations. The report found many of the DoD's biometric collection devices lacked data encryption capabilities and a clear policy for destroying or sanitizing biometric data.
While commercial enterprises don't face the same challenges as the DoD, the threat of biometrics data breaches to business operations are also a serious concern. Some of the top threats to private sector organizations include:
Data theft: Stolen biometric data can lead to unauthorized access to enterprise systems and theft of sensitive information.
Spoofing and impersonation: Biometric systems can be tricked using various spoofing techniques, such as fake fingerprints, facial images, or voice recordings.
Privacy concerns: Collecting and storing biometric data raises privacy concerns, as individuals may worry about the misuse of or unauthorized access to their personal information.
Integration challenges: Poorly integrated biometric systems may introduce vulnerabilities, especially when integrated with other security or IT systems.
The Biometrics "Blind Spot" in Security Policies
The IG's report points to a worrisome gap in the DoD's biometrics policies, which might be a cybersecurity blind spot. As the use of biometrics grows in popularity and the technology is more widely adopted by governments and businesses, organizations must take a close look at their security policies and update them to guide the use of biometrics-enabled devices and properly secure biometrics data.
By default, biometrics data is personally identifiable information (PII) and thus protected information subject to privacy laws, regulations, and data security guidelines already in effect. Failure to protect this type of data poses the risk of non-compliance with data security frameworks and privacy regulations, with potential for fines, legal action, and loss of consumer trust.
Enterprises must go to great lengths to protect the integrity of sensitive data, especially as biometrics are one of the key methods used to authenticate unique persons beyond username-and-password combinations. Policymakers and security leaders should consider:
Imposing higher penalties for breaches of biometrics devices and data.
Prescribing additional technical security controls for biometric data using existing cybersecurity frameworks such as NIST Cyber-Resiliency Framework (CSF), Center for Internet Security (CIS) Controls, and NIST Special Publication 800-53.
Building multifactor rigor into the use of biometrics by implementing multimodal biometrics. This combines multiple biometric data sets (such as fingerprints, retinal scans, palm prints, voice signatures, facial recognition, and behavioral traits) to authenticate users with each data set segregated and protected separately. When the subject is authenticated by two or more methods, that person's identity is verified. This way, compromising one data set cannot compromise the entire authentication scheme.
Final Thoughts
Use of biometrics is not new. We have had the means to capture, record, and compare against fingerprints for decades. But the technology available to perform biometrics data capture and comparison in greater detail, at scale, and in near real-time has opened many new possibilities. Responsible use of biometrics data sets to enhance security, namely through more rigorous authentication, should be implemented and celebrated.
At the same time, these developments should proceed only alongside broader data security measures, including best practices prescribed by NIST, CIS, and others, to protect these systems and the privacy of the data subjects whose biometrics data is being used.
About the Author
You May Also Like