El Salvador data breach includes selfies and ID numbers for 80% of country’s population

Organizations storing reference data to perform face biometrics matches should not store that data in unencrypted form. This basic best practice requirement appears to be lost on many organizations, however, with a database of Salvadorans’ personal information leaked on the dark web the latest example.

More than 5.1 million records of personal details, including high-definition facial photos labelled with the individual’s El Salvador national ID document number (DUI), have been made available for free on the dark web, Resecurity reports. The cybercriminal responsible for the data dump appears to have first attempted to sell the breached personal information.

The number and nature of the records has prompted speculation on social media (caveat emptor) that the breach is from national digital wallet Chivo.

The source of the data and the party that breached it, however, remain uncertain. Resecurity notes a possible connection to known hacker group Guacamaya, which has attacked governments and businesses in several Latin American countries. The data dump was posted to a hacker forum by a user with the alias “CiberinteligenciaSV.”

The data includes people’s full name, date of birth, telephone number, and email and physical addresses, in addition to the national ID information and selfie photos. The number of records represents approximately 80 percent of El Salvador’s total population, or almost all of its adult population.

The data seems unlikely to help any hacker attempting to defeat an onboarding or access control system protected with presentation attack detection, but could be useful for defeating systems as negligent of cybersecurity best practices as the source of the data.

If the facial images had been stored properly, as encrypted templates held in a different database from the rest of the personal data, they would have had no practical value to the party that exfiltrated them, or anyone else.

Storing the data in a way no privacy or biometrics professional would recommend is one problem, but attaching the ID number and other personal information could make the breach significantly more damaging. Many people’s facial images may have been available and associated with their names on social media accounts, for example, but the breach appears to make Salvadorans relatively easy targets for cybercriminals looking to open accounts under assumed names, which would normally require them to gather other information contained in the leaked database.

Resecurity notes a report by Reuters that Latin America had the highest share of unprotected data of any region in the world in 2022.

Article Topics

biometrics  |  Chivo  |  data privacy  |  El Salvador  |  face biometrics  |  identity management  |  national ID