Navigating Biometric Data Security Risks in the Digital Age

The use of biometrics is increasingly common for authentication, and organizations must make sure their data security solutions protect what may be a new goldmine for hackers.

Maurice Uenuma, Vice President & General Manager, Americas, Blancco

March 5, 2024

4 Min Read
Eye with 1s and 0s radiating out from it
Source: Valerii Brozhinskii via Alamy Stock Photo

COMMENTARY

Although it wasn't called biometrics at the time, a rudimentary form of the technology emerged in 1901 when Scotland Yard adopted fingerprint classification to identify criminal suspects. The biometrics field has come a long way in the more than 120 years since then.

Public and private sector organizations now use it to identify and authenticate individuals to grant access to computer systems, such as laptops and tablets, and enterprise applications such as human resources or customer relationship management systems. Apple adopted biometrics to unlock the iPhone in 2013, and today face ID is a common feature on mobile phones. The Mastercard Biometric Card combines chip technology with fingerprints to verify the cardholder's identity for in-store purchases. Healthcare organizations also use biometrics to verify individuals to determine access to medical care. This is particularly useful if the patient can't produce other forms of identification.

With biometric devices part of the growing body of data-bearing devices deployed across multiple sectors, including government agencies and the military, organizations looking to use this technology must make sure their data security solutions protect what may be a new goldmine for hackers.

DoD Details Biometrics Data Risks

The US government is now fully aware of the potential danger of biometrics data breaches: The Inspector General (IG) of the US Department of Defense (DoD) released a report in November 2023 revealing significant gaps in security and management of biometric data within the DoD. These gaps may pose risks to personnel and potentially threaten clandestine operations. According to the IG's report, the DoD's use of biometric data has been extensive, particularly in areas of conflict where accurately identifying individuals is critical for security operations. The report found many of the DoD's biometric collection devices lacked data encryption capabilities and a clear policy for destroying or sanitizing biometric data.

While commercial enterprises don't face the same challenges as the DoD, the threat of biometrics data breaches to business operations are also a serious concern. Some of the top threats to private sector organizations include:

  • Data theft: Stolen biometric data can lead to unauthorized access to enterprise systems and theft of sensitive information.

  • Spoofing and impersonation: Biometric systems can be tricked using various spoofing techniques, such as fake fingerprints, facial images, or voice recordings.

  • Privacy concerns: Collecting and storing biometric data raises privacy concerns, as individuals may worry about the misuse of or unauthorized access to their personal information.

  • Integration challenges: Poorly integrated biometric systems may introduce vulnerabilities, especially when integrated with other security or IT systems.

The Biometrics "Blind Spot" in Security Policies

The IG's report points to a worrisome gap in the DoD's biometrics policies, which might be a cybersecurity blind spot. As the use of biometrics grows in popularity and the technology is more widely adopted by governments and businesses, organizations must take a close look at their security policies and update them to guide the use of biometrics-enabled devices and properly secure biometrics data.

By default, biometrics data is personally identifiable information (PII) and thus protected information subject to privacy laws, regulations, and data security guidelines already in effect. Failure to protect this type of data poses the risk of non-compliance with data security frameworks and privacy regulations, with potential for fines, legal action, and loss of consumer trust.

Enterprises must go to great lengths to protect the integrity of sensitive data, especially as biometrics are one of the key methods used to authenticate unique persons beyond username-and-password combinations. Policymakers and security leaders should consider:

  • Imposing higher penalties for breaches of biometrics devices and data.

  • Prescribing additional technical security controls for biometric data using existing cybersecurity frameworks such as NIST Cyber-Resiliency Framework (CSF), Center for Internet Security (CIS) Controls, and NIST Special Publication 800-53.

  • Building multifactor rigor into the use of biometrics by implementing multimodal biometrics. This combines multiple biometric data sets (such as fingerprints, retinal scans, palm prints, voice signatures, facial recognition, and behavioral traits) to authenticate users with each data set segregated and protected separately. When the subject is authenticated by two or more methods, that person's identity is verified. This way, compromising one data set cannot compromise the entire authentication scheme.

Final Thoughts

Use of biometrics is not new. We have had the means to capture, record, and compare against fingerprints for decades. But the technology available to perform biometrics data capture and comparison in greater detail, at scale, and in near real-time has opened many new possibilities. Responsible use of biometrics data sets to enhance security, namely through more rigorous authentication, should be implemented and celebrated.

At the same time, these developments should proceed only alongside broader data security measures, including best practices prescribed by NIST, CIS, and others, to protect these systems and the privacy of the data subjects whose biometrics data is being used.

About the Author

Maurice Uenuma

Vice President & General Manager, Americas, Blancco

Maurice Uenuma is Vice President & General Manager, Americas, at Blancco Technology Group, collaborating with an interdisciplinary team to deliver the world's leading data erasure and device diagnostics solution to address the privacy, security, and sustainability needs of government agencies, enterprises, and device processors. Previously, Maurice was Vice President, Federal & Enterprise with Tripwire. Prior to joining Tripwire, he was Vice President at the Center for Internet Security (CIS) and served as Workforce Management co-chair of the National Initiative for Cybersecurity Education (NICE) Working Group at NIST. Earlier, Maurice held leadership roles at Perot Systems and Dell, and served for nine years as an infantry and special operations officer in the United States Marine Corps. Maurice holds a Master's degree in National Security Studies from Georgetown University, graduated from the US Naval Academy, and is a GIAC-certified Global Industrial Cyber Security Professional (GICSP).

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights