Organizations storing reference data to perform facial biometric matching should not store that data in an unencrypted format. This basic best practice requirement seems to have been lost on many organizations, with the latest example being a database of Salvadoran personal information leaked onto the dark web.
Resecurity reports that more than 5.1 million records of personal information are now available for free on the dark web, including high-resolution mugshots labeled with an individual's Salvadoran National Identity Document Number (DUI). I did. The cybercriminals responsible for the data dump appear to have initially tried to sell the compromised personal information.
Due to the number and nature of the records, there has been speculation on social media (caveat emptor) that the breach originated from the national digital wallet Chivo.
However, the source of the data and the party that compromised the data remain unclear. Resecurity points to a possible connection to Guacamaya, a known hacker group that has attacked governments and businesses in several Latin American countries. The data dump was posted on a hacker forum by a user with the alias “CiberinteligenciaSV”.
This data includes people's names, dates of birth, phone numbers, emails and addresses, in addition to national ID information and selfies. This number of records represents approximately 80 percent of El Salvador's total population, or nearly all of the adult population.
This data is unlikely to be useful to hackers trying to break onboarding or access control systems protected by presentation attack detection, but it can be useful for breaking systems that ignore cybersecurity best practices as a data source. There is a possibility.
If facial images had been properly stored as encrypted templates in a database separate from other personal data, they would have had no practical value to the party who leaked them or anyone else.
Storing data in ways not recommended by privacy and biometric experts is one thing, but attaching ID numbers and other personal information can make a breach much more damaging. For example, while images of many people's faces may be available and associated with their names on social media accounts, this breach makes El Salvador People seem to be relatively easy targets, and other information would normally need to be gathered. It was included in the leaked database.
Resecurity notes a Reuters report that Latin America had the highest rate of unprotected data of any region in the world in 2022.
Article topics
Biometrics | Chibo | Data Privacy | El Salvador | Facial Biometrics | Identity Management | National ID