A web server containing records of about 76,000 unique fingerprints was left exposed on the internet, researchers said Wednesday. The unsecured fingerprint data, as well as employee email addresses and telephone numbers, had been collected by Brazilian company Antheus Tecnologia.
The database, which contained nearly 2.3 million data points, most of which were server access logs, has now been secured, according to Anurag Sen, the researcher who published his findings with antivirus review site Safety Detectives. The fingerprint data was stored as a binary data stream, which is a string of ones and zeroes. Sen said bad actors may be able to turn that data back into a biometric image of a fingerprint.
And even if they can't find a way to use the data for bad purposes at the moment, that will change as technology advances, Sen said.
"It might be that in the future they'll find a way to exploit it," Sen said. "Fingerprints are permanent throughout life."
Antheus Tecnologia didn't immediately respond to a request for comment.
The research is another example of exposed databases, a growing problem that reveals sensitive data to anyone with the right IP address. As companies move internal data to the cloud from their own servers, inexperienced IT staff often accidentally leave the web-based databases without password protection. This has revealed the national identity numbers of theatergoers in Peru, the personal contact information held in a UK marketing database and the medical records of drug rehab patients in the US. Researchers seek out the leaks and try to get companies to secure the data.
Password protection isn't the only way to keep cloud databases safe. A new feature from software maker MongoDB lets database managers store encrypted data on the cloud. But for either of these approaches to work, the features have to be turned on and configured correctly.
The fingerprint data included ridge bifurcation and ridge ending data, both of which describe characteristics used to tell fingerprints apart. Logs in the exposed cache also let researchers see which records were associated with a specific fingerprint scan. Other serious exposures of fingerprint data include the breach of the US Office of Personnel Management in 2015, in which hackers stole background check data on federal employees, including more than 1 million fingerprints.
In his report with Safety Detectives, Sen said the importance of keeping fingerprints securely stored is growing. Indeed, academic researchers have created biometric replicas that can fool fingerprint readers in a simulated setting (they didn't test real phones). In the future, hackers could use a high-quality fake to access the private information on your phone or computer, Sen said, "such as messages, photos and payment methods stored on your device."