Changing a password is easy—a fingerprint? Not so much.

THE EVENT

Revealed in the last 24 hours, the Suprema biometric technology breach compromised fingerprint and facial recognition data for over 28 million records. Because sensitive data rarely lives, travels, and exists alone, the compromise has exposed volumes of “companion data” that is equally sensitive. Usernames, passwords, logs of facility access, security and clearance levels, photographs, and security verification data are all behind the digital door unlocked by biometric data keys. And unlike other recent data breaches centered on leaked usernames and passwords, fingerprints or facial data cannot be changed once they’ve been leaked.

THE ISSUE

A single Suprema product—the Biostar 2, a biometric identity SDK integrated AEOS access control system—is at the crux of the incident. This device is used by 5,700 organizations with a geographic footprint in 83 different countries. The implications are far-reaching, as this compromise sits at the crowded and value-saturated intersection of physical security and non-physical security, tangible and intangible asset protection, business intelligence, global-regional-domestic compliance, and privacy.

Biometric data, at the most basic, biological level, is processed, produced, and owned by every individual as an identity signature. At the business level, it is produced, processed, and owned by every organizational unit that has sensitive information and critical facilities to protect and control access.

THE SCOPE

Biometric data has long been treated with mild neglect in comparison to the standard priorities of privacy data. The focus on traditional PII data and the combinations of PII data elements to identify a person have taken a back seat in the past 24 hours.

62% of organizations use biometric technology, even though only 10% of those organizations believe biometrics are secure enough to be used as the sole form of authentication. Moreover, 90% of businesses will use biometric authentication technology by 2020.

With over 3 billion people categorized as working population globally, these calculations very easily account for 2.7 billion worth of people’s biometric data collected, processed, and stored by 2020.

The critical consideration is identity permanence, since a fingerprint (scanned and used by 57% of companies worldwide), when compromised, cannot be changed or updated like a password. There aren’t rules you can put into place that deal in special characters, capital letters, and numbers that would obfuscate the authenticity of a valid biometric identity signature. Once a fingerprint is compromised, it cannot be reversed or updated, and only imagination can set the parameters on how that data can be leveraged into intelligence or employed for malicious reasons.

THE PLAN

Organizational leadership teams should move deliberately and decisively to determine their level of risk, whether as a direct result of this incident or with respect to their sensitive data processes.

The 10 Critical Questions that Prescient advises boards and C-Suite leadership officers to ask immediately are as follows:

  1. How are you connected to this event, its subjects, or the biometric technology industry?
  2. Do you collect biometric data on your critical executive staff and teams?
  3. If your executive staff and teams’ biometric data were exposed, what level of reach and impact would that access have?
  4. What do your corporate policies communicate in terms of rules for collecting biometric data, or any other individually identifying information?
  5. Do you know how much sensitive data your organization has access to, collects, uses, or shares?
  6. Do you know where your sensitive data resides?
  7. Are the databases in which you keep sensitive data encrypted?
  8. Do you use biometric technology in the daily operation of your business?
  9. Do you know where biometric data may exist in your network, systems, or repositories?
  10. When was the last time you audited your access controls and critical business systems?

The Prescient 5-Point Proactive Risk Plan outlines a strategic, rapid risk mitigation framework for organizations to assess and assure their security posture:

1) Map Data

Follow the Data. Determine what sensitive data your organization collects, processes, and controls, and how all those data assets reside and connect with each other. The objective of this step is to be able to clearly track how sensitive data is created, used, stored, and transmitted regularly in the organization.

2) Index Systems

Go There and Count Them. Inventory all the systems that manage sensitive data, and then go a step further. Index them based on the level of data (sensitivity, completeness, classification, and risk) that is processed by that system. In an emergent situation with finite resources, scanning data across a multitude of technologies is not efficient. The objective of this step is to determine critical target priorities to dedicate attention to immediately to shape the mitigation action plan.

3) Inventory Processes

Show Me the Money. Establish depth of impact with respect to the business. Determine how the sensitive data circulating within the organization is processed by critical systems in standard and non-standard business procedures and workflows. In this step, the objective is to track and minimize impact to business operations, while also establishing how compromise or risk to specific data elements permeates the business on a day-to-day basis.

4) Assess Risk

Protect Your Neck. Determine your centers of gravity based on probability, impact, and ability to remediate and/or mitigate. Whether it’s simply encrypting the database, wholesale resetting access to a sensitive repository, or rip-and-replacing an old technology/device, determine the level of impact you can absorb and assure when it comes to the people, process, and technology dimensions of taking an action. The objective is to prioritize efforts and immediate actions. Conduct a risk assessment and an audit of systems to map out a timeline of what is feasible, least disruptive, and effective for the issue at hand.

5) Apply Controls

Be About It. If you’re fortunate enough to have no or minor issues or findings, set a schedule to follow-up with a deliberate review, training, and communication. If you discover a relevant risk, from moderate to significant in severity, outline a clear risk treatment plan immediately. Detail remediation steps, timelines, and milestones to effectively establish a proactive stance that increases awareness, addresses issues, and controls impact. The objective of this step, in either case, is to assure and control quality management of your risk profile, posture, and plan.

If you have any questions, our team at Prescient can guide you through the details and support your strategy to determine your exposure or risk. To request a professional consult with a Prescient Cyber Executive, contact us today.

Alex White serves as Vice President of Prescient’s Cyber Practice. He specializes in developing enterprise-wise cyber risk management strategies, and has extensive experience architecting proactive and predictive programs for enterprise risk, technology governance, and data protection.