Monitoring deep, dark and surface web to detect exposure of your sensitive data, secret projects and initiatives, privileged users, critical systems, IT infrastructure, and more.
Monitoring and alerting of third party data breaches impacting your employees’ emails, usernames, and personally identifiable information.
Assess the risk footprint and security posture of key business relationships to get a handle on external risk introduced through your extended attack surface.

Sign Up for Updates
Digital risk monitoring of key personnel with telemetry and risk metrics. VIPRecon provides broad coverage of social media, deep and dark web, as well as physical threat assessments.
Our Ransomware Response Readiness Assessment, Playbook and Table Top Exercise gives your organization the best chance to survive and recover.
Gain visibility of your digital footprint by reaching into the most active areas of the cyber underground.
Fully managed and tailored Threat Intelligence services that becomes an extension of your current security processes and provides real-time visibility on new threats.
Providing research and investigations into known threats, to save security teams time and stress during a cyber emergency.

Sign Up for Updates
GroupSense offers a comprehensive package of services for assessing and responding to ransomware attacks, including negotiations with threat actors.
Actively researching and monitoring threats from vendors or third-party companies that can affect organizational security.
Monitoring for threats to elections, VIPs, and more on social media to proactively prevent or mitigate digital risk.
Focusing on the threats and risks that matter to your security processes and providing intelligence and insights to prevent or mitigate digital risk.
Taking the next step in security services, by proactively taking down phishing sites or anonymously interacting with threat actors to provide better intelligence.
Active monitoring of your brand's digital assets to protect its reputation and stop further brand abuse from targeting unsuspecting victims.

Sign Up for Updates
Combining your cyber and fraud programs to effectively fight threat actors continually scamming or threatening assets within an organization.
Executives are prime targets for fraudulent activities, but with a proactive approach, any attacks or threats can be neutralized before causing any damage.
Governments, political parties and candidates must all act now to activate cyber threat intelligence services to harden their information security and get ahead of inevitable cyber threats to the election process.
4 min read

Biometric Security: More Risk than Reward

Feb 4, 2020 1:57:00 PM

Using biometrics for authentication has always been a source of controversy. At face value, it seems like a fool-proof way to authenticate users. Everyone has unique fingerprints, right? But if you dig a level deeper, you'll find the biometric access management systems that store fingerprints, irises, facial maps, or walking gaits as data. And we all know what happens to data if it’s not protected properly. This brings us to the big problem with biometrics: while passwords can be changed if there’s a data breach, fingerprints and other biometric data are permanent. One breach of a biometrics database is all it takes for someone to lose their identity for a lifetime.

This concern did not stop the inexorable march of technology, and biometric access-management systems have continued to evolve over the years until, predictably, we finally had a big biometric data security event: the Suprema incident.

The First Big Biometric Data Incident

According to an article published by The Guardian, security researchers discovered an unprotected and mostly unencrypted database belonging to Suprema, a security company responsible for the web-based Biostar 2 biometrics lock system. This database contained over 27.8 million records and 23 gigabytes of data which included fingerprint data, facial recognition data, face photos of users, and more.

Suprema’s customers use the system to manage building access across more than 1.5 million locations worldwide. Unfortunately, Suprema was storing actual biometric data in the Biostar 2 database, rather than hashes of that data. This meant that if threat actors could breach the database, they’d be able to change fingerprints so they could, for example, swap out authorized employees’ fingerprints for their own and penetrate buildings, and add create phony employees with their own fingerprints or faces to access said company.

Aside from the obvious security shortcomings of this situation, it raises some interesting legal issues, given the potential lifelong privacy problems a biometric data breach could cause victims. And as is often the case, the law lags behind technology, so the regulatory situation around biometrics remains somewhat immature and confusing. While some states have specific legislation around biometric data (Illinois’ Biometric Information Privacy Act being the most robust), in many states people’s biometric privacy is left in the hands of organizations, with no real regulatory oversight.

Subscribe to our blog to receive monthly updates on new content 

Regulations Fall Short

Even in states where there is biometric-specific regulation, the requirements of those regulations fall short of security best practices. Illinois, Texas, and Washington all have specific biometric privacy statutes, and a number of other states include biometric data in the definition of protected personal information in their consumer privacy laws. None, however, requires encryption of biometric data, which is a standard best practice for protecting data this sensitive.

 Even if regulations do not enforce modern best practices, organizations using biometrics should voluntarily adopt those practices to avoid class action suits and other legal exposure resulting from biometric data breaches. To date, these suits typically seek damages for things like “emotional suffering” (brought on, presumably, by the stress of not knowing how your biometric data is being used).

It is not too difficult, however, to see future situations where damages could be sought for more profound issues. For example, if an employee were to be falsely arrested for theft of company property due to a threat actor’s fraudulent use of the employee’s biometric data to access a building, that employee would likely have a significant claim for damages. It does not take an extraordinary imagination to think of scenarios where people would have claims based on the fraudulent use of their biometric signatures.

Adopting Best Practices

Companies can reduce their risk exposure from using or storing biometric data by adopting the following best practices*:

  1. Develop written policies covering how biometric data will be collected, used, distributed, and destroyed. (Oh, and then follow those policies!)
  2. Inform all relevant populations (employees, customers, etc.) how your organization is handling biometric information, mapped to the established policies.
  3. Encrypt biometric data at rest and in motion.
  4. Limit access to biometric data. If it must be accessed by a third party, create a contract detailing the parameters for how that third party is allowed to access and use the data.
  5. Consider storing less than 100 percent of biometric datasets. For example, only enough fingerprint data to identify a person – not the entire fingerprint.
  6. Consider implementing two-factor authentication in conjunction with biometric data.
  7. Address legal and statutory obligations regarding biometric data in all contracts with customers, vendors, etc., as well as employee handbooks.
  8. Review the organization’s general commercial liability insurance coverage to understand if it provides adequate coverage for biometric-related compliance and legal risks, and if not, determine if the carrier has the ability to help clients understand and manage these risks. (If not, find a new carrier that does).

*Source: ABA, 2019.

It is likely that states (and perhaps the federal government) will adopt similar practices as the basis for biometric data privacy regulations. For companies using these systems, adopting these practices now can reduce legal exposure today, and regulatory risk in the future. Organizations should also monitor the dark web for indicators of digital risk – whether it’s an insider offering access to a biometric database, or a corpus of biometric data for sale.

Contact GroupSense to learn more about monitoring the dark web for digital risk. The faster organizations can identify and mitigate these threats and incidents, the more they can control any potential damage caused by biometric data breaches, and ensure that biometric security delivers more reward than risk!

This article was written collaboratively by Kurtis Minder, CEO at GroupSense and Joe Meadows, a litigation partner at Bean, Kinney & Korman PC with experience in cyber and privacy issues. This article is for informational purposes only and is not intended to convey legal advice.
Topics: Blog
Editorial Team

Written by Editorial Team

Featured

cyber-tips