Thousands of fingerprint files exposed in unsecured database, research finds

Exclusive: The data reveals important distinguishing characteristics of 76,000 fingerprints.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
3 min read

Thousands of fingerprint records were exposed on an unsecured database, researchers said Wednesday.

Graphic by Pixabay/Illustration by CNET

A web server containing records of about 76,000 unique fingerprints was left exposed on the internet, researchers said Wednesday. The unsecured fingerprint data, as well as employee email addresses and telephone numbers, had been collected by Brazilian company Antheus Tecnologia.

The database, which contained nearly 2.3 million data points, most of which were server access logs, has now been secured, according to Anurag Sen, the researcher who published his findings with antivirus review site Safety Detectives. The fingerprint data was stored as a binary data stream, which is a string of ones and zeroes. Sen said bad actors may be able to turn that data back into a biometric image of a fingerprint.

And even if they can't find a way to use the data for bad purposes at the moment, that will change as technology advances, Sen said.

"It might be that in the future they'll find a way to exploit it," Sen said. "Fingerprints are permanent throughout life."

Antheus Tecnologia said in a statement Thursday that the fingerprints didn't come from customers, adding that the exposed information was publicly available data it had used for testing. "There is no sensitive data on this server," a spokesperson said in a statement.

The company said it obtained the fingerprints from its own development team and a set of data from NIST, a spokesperson said. Antheus Tecnologia also said it used hashing in the storage of the data to make it "cryptographically impossible to obtain the original image."

The research is another example of exposed databases, a growing problem that reveals sensitive data to anyone with the right IP address. As companies move internal data to the cloud from their own servers, inexperienced IT staff often accidentally leave the web-based databases without password protection. This has revealed the national identity numbers of theatergoers in Peru, the personal contact information held in a UK marketing database and the medical records of drug rehab patients in the US. Researchers seek out the leaks and try to get companies to secure the data.

Password protection isn't the only way to keep cloud databases safe. A new feature from software maker MongoDB lets database managers store encrypted data on the cloud. But for either of these approaches to work, the features have to be turned on and configured correctly.

The fingerprint data included ridge bifurcation and ridge ending data, both of which describe characteristics used to tell fingerprints apart. Logs in the exposed cache also let researchers see which records were associated with a specific fingerprint scan. Other exposures of fingerprint data include the breach of the US Office of Personnel Management in 2015, in which hackers stole background check data on federal employees, including more than 1 million fingerprints.

In his report with Safety Detectives, Sen said the importance of keeping fingerprints securely stored is growing. Indeed, academic researchers have created biometric replicas that can fool fingerprint readers in a simulated setting (they didn't test real phones ). In the future, hackers could use a high-quality fake to access the private information on your phone or computer, Sen said, "such as messages, photos and payment methods stored on your device."

Watch this: Kwikset Halo Touch uses your fingerprint to open the deadbolt