FB pixel

El Salvador data breach includes selfies and ID numbers for 80% of country’s population

El Salvador data breach includes selfies and ID numbers for 80% of country’s population
 

Organizations storing reference data to perform face biometrics matches should not store that data in unencrypted form. This basic best practice requirement appears to be lost on many organizations, however, with a database of Salvadorans’ personal information leaked on the dark web the latest example.

More than 5.1 million records of personal details, including high-definition facial photos labelled with the individual’s El Salvador national ID document number (DUI), have been made available for free on the dark web, Resecurity reports. The cybercriminal responsible for the data dump appears to have first attempted to sell the breached personal information.

The number and nature of the records has prompted speculation on social media (caveat emptor) that the breach is from national digital wallet Chivo.

The source of the data and the party that breached it, however, remain uncertain. Resecurity notes a possible connection to known hacker group Guacamaya, which has attacked governments and businesses in several Latin American countries. The data dump was posted to a hacker forum by a user with the alias “CiberinteligenciaSV.”

The data includes people’s full name, date of birth, telephone number, and email and physical addresses, in addition to the national ID information and selfie photos. The number of records represents approximately 80 percent of El Salvador’s total population, or almost all of its adult population.

The data seems unlikely to help any hacker attempting to defeat an onboarding or access control system protected with presentation attack detection, but could be useful for defeating systems as negligent of cybersecurity best practices as the source of the data.

If the facial images had been stored properly, as encrypted templates held in a different database from the rest of the personal data, they would have had no practical value to the party that exfiltrated them, or anyone else.

Storing the data in a way no privacy or biometrics professional would recommend is one problem, but attaching the ID number and other personal information could make the breach significantly more damaging. Many people’s facial images may have been available and associated with their names on social media accounts, for example, but the breach appears to make Salvadorans relatively easy targets for cybercriminals looking to open accounts under assumed names, which would normally require them to gather other information contained in the leaked database.

Resecurity notes a report by Reuters that Latin America had the highest share of unprotected data of any region in the world in 2022.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

Biometrics race for the borders

Biometrics to ease border crossings are a major theme of the week among Biometric Update’s most-read articles of the week….

 

US election likely to be a missed opportunity to advance digital ID policy

The 2024 U.S. election represents an opportunity for social dialogue around digital identity policy in the wake of a series…

 

India to pilot Digi Yatra for foreign nationals in 2025

India is planning an international pilot project for June 2025 that will see the introduction of facial recognition technology beyond…

 

Papua New Guinea advances digital ID, wallet and govt platform to pilot

Papua New Guinea has stood up a new digital ID, wallet and online government platform, and plans to pilot them…

 

UK police organized crime unit seeks new facial recognition software

The UK’s main law enforcement agency against organized crime is looking into new facial recognition solutions, as the country doubles…

 

The EUDI Wallet was not meant for age assurance: AVPA

The European Union should not look at the EU Digital Identity (EUDI) Wallet as an age-assurance solution to keep minors…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events