FB pixel

El Salvador data breach includes selfies and ID numbers for 80% of country’s population

El Salvador data breach includes selfies and ID numbers for 80% of country’s population

Organizations storing reference data to perform face biometrics matches should not store that data in unencrypted form. This basic best practice requirement appears to be lost on many organizations, however, with a database of Salvadorans’ personal information leaked on the dark web the latest example.

More than 5.1 million records of personal details, including high-definition facial photos labelled with the individual’s El Salvador national ID document number (DUI), have been made available for free on the dark web, Resecurity reports. The cybercriminal responsible for the data dump appears to have first attempted to sell the breached personal information.

The number and nature of the records has prompted speculation on social media (caveat emptor) that the breach is from national digital wallet Chivo.

The source of the data and the party that breached it, however, remain uncertain. Resecurity notes a possible connection to known hacker group Guacamaya, which has attacked governments and businesses in several Latin American countries. The data dump was posted to a hacker forum by a user with the alias “CiberinteligenciaSV.”

The data includes people’s full name, date of birth, telephone number, and email and physical addresses, in addition to the national ID information and selfie photos. The number of records represents approximately 80 percent of El Salvador’s total population, or almost all of its adult population.

The data seems unlikely to help any hacker attempting to defeat an onboarding or access control system protected with presentation attack detection, but could be useful for defeating systems as negligent of cybersecurity best practices as the source of the data.

If the facial images had been stored properly, as encrypted templates held in a different database from the rest of the personal data, they would have had no practical value to the party that exfiltrated them, or anyone else.

Storing the data in a way no privacy or biometrics professional would recommend is one problem, but attaching the ID number and other personal information could make the breach significantly more damaging. Many people’s facial images may have been available and associated with their names on social media accounts, for example, but the breach appears to make Salvadorans relatively easy targets for cybercriminals looking to open accounts under assumed names, which would normally require them to gather other information contained in the leaked database.

Resecurity notes a report by Reuters that Latin America had the highest share of unprotected data of any region in the world in 2022.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News


Digital identity leaders shepherd wallets into the mainstream

Discussion and debate at the European Identity and Cloud (EIC 2024) conference focused largely on how to achieve trust among…


Suprema, Strata Identity, Gunnebo gain security certifications

Recent certifications for Suprema, Strata Identity, Gunnebo and ISS reflect the broader industry trend towards stringent information security measures, ensuring…


Biometrics entering everyday activities via rising technologies

Biometrics underpin the new technologies that people will soon use on a daily basis for everything from payments to age…


Anticipation for Metalenz and Samsung’s answer to Face ID mounts

After Samsung and Metalenz collaborated to incorporate Samsung’s Isocell Vision 931 image sensor into Metalenz’s Polar ID imaging technology, Mashable…


Germany beefs up border security ahead of UEFA Championship

Germany has been ramping up security measures such as border checks and CCTV surveillance in preparation UEFA European Football Championship…


Inverid and Cybernetica team up to secure digital ID, signatures with biometric MFA

A new partnership has been formed by Inverid and Cybernetica to combine the NFC ID document-scanning capabilities of the former…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events