Biometric Data Breach at ChoiceDNA

Thousands of Sensitive Facial Recognition Records

In a stark reminder of the growing risks tied to the use of biometric data, ChoiceDNA, an Indiana-based company that offers DNA testing and facial recognition services, has suffered a significant data breach. An estimated 8,000 facial recognition records were left exposed online in a publicly accessible folder, raising serious concerns over privacy, data security, and the potential misuse of sensitive personal information.

The breach, first discovered by an independent cybersecurity researcher, involved documents labeled as “Facial Recognition Uploads.” These records were part of ChoiceDNA’s FACE IT DNA service, a technology that compares facial features to help determine genetic relationships, often used in paternity and family-related cases. The service, as described on the company’s website, analyzes over 68 points of facial connectivity to assess familial relationships based on submitted photographs.

The exposure of biometric data, particularly facial recognition images, is considered a high-risk privacy breach due to the uniquely personal nature of such information. Unlike passwords or credit card numbers, which can be changed in the event of theft, biometric data is permanent and irreplaceable. The implications of this breach are severe, as facial recognition data can be misused for identity theft, fraud, and even the creation of deepfakes—synthetic media that impersonates real individuals.

Unanswered Questions Surround the Breach

While the breach has since been contained, with the files being restricted from public access following a responsible disclosure notice, key questions remain unanswered. It is unclear how long the data was left exposed or whether any unauthorized parties accessed it during that time.

ChoiceDNA has yet to issue a public statement addressing the breach, and the company did not respond to inquiries about the incident. It is also unknown whether the company directly managed the server where the data was stored or whether a third-party vendor was responsible for securing it.

A forensic audit would be required to determine the full extent of the exposure, including whether other sensitive data was compromised or if there was any suspicious activity surrounding the files. Without such an audit, the potential for long-term damage to the individuals affected remains uncertain.

Rising Concerns About Biometric Data Security

The ChoiceDNA data breach underscores a broader issue facing companies that collect and store biometric data. As the use of facial recognition technology grows across industries, from law enforcement to consumer services, so too do the risks of large-scale breaches.

Biometric data, which includes facial images, fingerprints, iris scans, and DNA, is increasingly recognized as a highly sensitive category of personal information. According to a 2023 policy statement from the Federal Trade Commission (FTC), the collection and storage of such data “pose new and increasing risks to consumers, businesses, and society.” The FTC highlighted the potential for biometric data to be used in the creation of counterfeit videos or voice recordings, which could allow bad actors to impersonate individuals for fraud, defamation, or harassment.

Moreover, large databases of biometric information, such as those maintained by companies like ChoiceDNA, are attractive targets for hackers. Once exposed, biometric data can be sold on the dark web, used for identity theft, or leveraged in other illicit activities. Unlike traditional personal data breaches, the long-term consequences of biometric data leaks are particularly concerning because this information cannot be altered or replaced.

Calls for Stronger Regulation

The breach comes amid increasing scrutiny over the handling of biometric data in the United States. Several states, including Illinois, Texas, and California, have enacted laws to regulate the collection and use of biometric identifiers, with more states, such as Florida, Arkansas, and Maryland, considering similar legislation. These laws typically require companies to obtain explicit consent from individuals before collecting biometric data and mandate strict protocols for data storage and security.

While federal legislation on biometric data privacy has yet to materialize, the ChoiceDNA incident may renew calls for stronger national protections. Privacy advocates argue that, as biometric data becomes more integrated into daily life, companies must be held accountable for safeguarding this information.

“We’re entering a world where biometric data will be the key to unlocking everything from your bank account to your personal devices,” said Amanda Jansen, a privacy advocate for stricter biometric data regulations. “But without proper safeguards in place, that same data could unlock a whole new set of risks.”

It remains to be seen how ChoiceDNA will address the fallout from this breach. While the company has restricted access to the exposed files, the lack of a formal response has left affected individuals and privacy experts questioning whether adequate steps are being taken to ensure future data security.

In the meantime, those whose biometric data may have been compromised are advised to monitor their accounts for signs of identity theft or fraudulent activity. Experts also recommend that individuals contact the company to request the deletion of any personal data stored in their systems.

The ChoiceDNA breach is a wake-up call for companies handling sensitive biometric data and a sobering reminder for consumers of the long-lasting risks tied to the misuse or exposure of such information. As the digital world increasingly turns to biometrics for security and identification, the responsibility to protect this irreplaceable data has never been more critical.

About The Author