Biometric security measures, including fingerprints, facial recognition, and voice patterns, have revolutionised digital protection. Their widespread adoption in both consumer devices and corporate systems has made them an integral part of modern security protocols.
However, this reliance has also turned them into prime targets for attackers. The threat demands our attention as, unlike passwords which can be changed, compromised biometric data is permanent, amplifying the risks associated with its theft.
The biometric threat
Organisations face significant risks from biometrics, as evidenced by high-profile breaches in the past. In 2015 the U.S. Office of Personnel Management (OPM) suffered a breach that exposed the fingerprint data of over 5.6 million government employees. Technological advancements, such as liveness detection and infrared scanning, have mitigated some vulnerabilities. Nonetheless, these measures do not entirely eliminate the risk.
The threats posed by biometric and wearable data theft are not confined to organisations though. Wearable devices such as smartwatches and fitness trackers serve as reservoirs of sensitive information. These gadgets not only collect health and geolocation data but also facilitate financial transactions through tap-to-pay functionality. Cybercriminals can exploit these features, analysing wearable usage patterns to orchestrate targeted crimes. For instance, the routine of a high-net-worth individual could be tracked to plan a burglary during a known absence.
Deepfakes compound the problem
The integration of artificial intelligence (AI) into cybercriminal strategies has further compounded the biometric problem. It has enabled the creation of realistic deepfakes that leverage stolen biometric data. These fabrications can deceive even the most discerning systems and individuals, facilitating fraud and allowing attackers to hone their spear phishing attempts. The dangers are evident in cases such as the one in 2020 whereby one threat actor managed to steal $35 million by using AI to replicate a company director’s voice and deceive a bank manager. Similarly, in January 2024, a finance employee at British engineering firm Arup fell victim to a $25 million scam after a video call with a ‘deepfake chief financial officer’. Such examples illustrate that deepfakes are not just a theoretical concern but a tangible threat that businesses must address urgently.
The implications of deepfake technology extend beyond financial fraud, potentially undermining biometric authentication systems altogether. According to our 2024 State of Information Security Report, deepfake incidents accounted for 32% of security breaches among UK businesses in the past year, making it one of the most prevalent forms of cyber intrusion. By combining deepfake technology with stolen biometric data, attackers can craft highly convincing scams, leaving both individuals and enterprises vulnerable.
The role of regulation
Despite these alarming trends, solutions exist. The path forward requires collective action from individuals, manufacturers, and regulators to bolster defences. Device manufacturers must prioritise security features in their products, incorporating measures like end-to-end encryption and data minimisation practices – key principles of GDPR. By collecting only essential data and employing pseudonymisation, manufacturers can significantly reduce the risks associated with breaches; disaggregating biometric data from the individual makes it far less exploitable and significantly diminishes its value to attackers.
Regulatory frameworks, such as the EU AI Act and HIPAA in the U.S., provide critical guidelines for safeguarding sensitive information. While the EU AI Act remains relatively new, the act seeks to prohibit “the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement.”
Meanwhile, under the HIPAA Security Rule (2009) in the US, organisations must safeguard Protected Health Information (PHI), with wearables and smart devices increasingly being used to collect PHI. Meanwhile, in 2021, Facebook was forced to pay $650m for violating Illinois privacy law, allegedly using photo face-tagging and other biometric data without the permission of its users.
How can individuals protect themselves?
For individuals, maintaining vigilance is paramount. Using layered security measures – such as combining biometric authentication with strong passwords or multi-factor authentication – can provide an additional buffer against attacks. Regularly updating device software to incorporate the latest security patches is another essential step.
In the unfortunate event of biometric or wearable data theft, immediate action is crucial. For individuals, this includes reassessing the security of compromised accounts and implementing stricter authentication measures.
What protocol should organisations follow in the event of a breach?
For businesses at risk of cyberattack, adhering to compliance requirements is essential. Breaches must be promptly reported to supervisory bodies like the ICO, and pre-established incident management protocols should be activated to mitigate further damage.
Following such incidents, organisations must acknowledge that parts of their authentication framework may no longer be secure. This should prompt a comprehensive risk assessment. Depending on the outcome, businesses might decide that the compromised asset is of low value and tolerable risk or determine that additional protective measures are necessary to address the vulnerability.
Seeking guidance from established standards can be instrumental in navigating these challenges. Frameworks like ISO 27001 offer clear strategies for identifying reliable suppliers and enhancing authentication practices. These standards outline essential actions, serving as invaluable resources for mitigating the risks tied to biometric and wearable data theft.
Looking ahead, the battle against biometric and wearable data theft will only intensify as technology continues to evolve. The integration of AI-powered hacking and the proliferation of advanced devices demands constant innovation on the side of cybersecurity defenders. With increased vigilance and by following best practices, organisations can build their resilience to counter these emerging threats.
- Cybersecurity
