“More than one million fingerprints and a host of usernames and passwords have been exposed on an unsecured database hosted by a security platform that lists the Metropolitan Police among its clients.”  There are a number of interesting points to note about this breach, even based on the little we know so far.

Firstly, this could prove to be yet another example of “island hopping” - a term used to describe the practice of an attacker/hacker using the IT/infosec supply chain to access the ultimate target’s data/systems. As mentioned in this article: “the more secure an organisation itself is, the more attractive that organisation’s supply chain becomes in the mind of the attacker”.

Secondly, this breach appears to involve the exposure of large volumes of unencrypted biometric data (such as fingerprints and facial recognition data). Clearly as a breach, this is likely to be incredibly complex to manage. You can’t send an email to a database of users requiring them to reset their fingerprints, of course.

An interesting one to watch.

For businesses collecting or using biometric data (whether that’s as a means of verifying access to buildings or technology, or simply to facilitate speedy payments in the canteen), there’s a lot to think about. Clearly, this breach shines a light on security and supply chain management, but key to biometric data processing will be Data Protection Impact Assessments, and considerations of proportionality.

The law provides additional protections for this type of data, and reading about the BioStar2 breach, it isn’t hard to understand why...