Biometric data and personal information exposure patched by genetic test lab

A genetic testing and “DNA Face Matching” company in the United States has left a trove of facial images and personally identifiable metadata exposed in a WordPress folder without even password protection, vpnMentor says.

Indiana-based ChoiceDNA left a folder titled “Facial Recognition Uploads” and containing an estimated 8,000 documents vulnerable, according to a post from Cybersecurity Researcher Jeremiah Fowler. Facial images and descriptions are considered biometric data, even if not processed for identification purposes, the FTC declared in a policy statement last year.

ChoiceDNA says its DNA Face Matching service uses biometrics to assess the likelihood that people are related. Even the identity of an individual who sought the service, therefore, could be sensitive information. The metadata accompanying the images included names, phone numbers, email addresses, ethnicity and notes on why the person was seeking DNA analysis.

Fowler disclosed the vulnerability to the company, and it was addressed within a week. No reply or indication of how long the folder had been exposed was provided.

Given the proximity of the company’s base of operations to Illinois, home of the Genetic Information Privacy Act (GIPA), there could yet be legal fallout.

Fowler also notes that “facial recognition services based on a photo that is uploaded without the photo subject’s consent raises potential ethical and privacy concerns.”

The post states that there is no indication at this point that any data was breached, and Fowler concludes with advice for protecting WordPress sites.

Article Topics

biometric data  |  biometric matching  |  ChoiceDNA  |  data protection  |  dna  |  face biometrics