A massive data breach in the Philippines does appear to contain millions of fingerprint records, despite officials claiming the leak "doesn't include biometrics". But one fingerprint specialist has questioned how useful the leaked data would be to criminals.
Earlier this month security researchers uncovered what appears to be the largest ever government data breach, affecting 55 million voters in the Philippines. The data, which has been widely distributed on both the dark and clear web, comprises of 228,605 email addresses; 1.3 million passport numbers and expiry dates of overseas Filipino voters; and 15.8 million fingerprint records.
"If you lose a password you can change it," security expert Troy Hunt told WIRED. "You can't change a fingerprint. Short of using a belt sander, it's not going to be much fun."
Five fields in the main 338GB database obtained by hackers relate to fingerprint data: PRINT_FLAG, FINGER_INFO, FINGER_TOPO_COORD, QUALITY, MATCHING_FINGER. The third field contains a series of codes that likely correlate to individual fingerprint records.
But the biometric data may be utterly useless without access to a computer system that can interpret it, fingerprint expert Chris Johnson told WIRED. "Very often the computer systems developed for countries are bespoke," said Johnson, a fingerprint trainer at the College of Policing for England and Wales. The Filipino system, he continued, had likely been built specifically for them. "Even though the data has been leaked, they would need to find another computer that could understand it."
Johnson said there was little risk of people's fingerprints being replicated or used for identity fraud if criminals only have access to these codes and not the images to which they relate. "It's the data, not the image itself," he explained.
When stored digitally, fingerprint data is typically converted into a unique code relating to the patterns known as minutiae. Computer software measures the distance and angle between a series of points, creating a unique map of the print. This code can then be matched whenever that finger is scanned again. The Philippines started collecting voter fingerprint data in 2015, with citizens given 17 months to register on the new biometric system.
Other data contained within the breach, which security researchers believe to be authentic, includes physical address, place of birth, height, weight, gender, marital status and parents' names. All of this information was unencrypted. Some data, such as first and last names and dates of birth, was encrypted. "Once you start combining these attributes, your ability to impersonate someone is greatly enhanced," Hunt said.
The leaked database was a "real hodgepodge" of data structures, with file names suggesting hasty copy-and-pasting of old versions, poor maintenance and lax management. "It's very, very shoddy. This was probably something that hasn't had much love," Hunt added.
The attack took place on March 27, with a group describing itself as Anonymous Philippines defacing the website of the Philippines' Commission on Elections (Comelec). It isn't yet known how the attack was carried out and what security flaws were exploited. Following the breach a second hacker group, LulzSec Pilipinas, posted the database online. It has since been mirrored and widely shared.
In the days after the attack Comelec claimed that "no sensitive information" was held on the site, but it has since softened its stance. Speaking on April 12, Filipino authorities said they were still investigating the data as it was taking "a little time" to download all of it. Despite analysis from security experts, Comelec officials still say the data has not been authenticated, but admitted that it being copied was a worst case scenario. The attack, officials added, would not compromise election results.
Hunt contacted five people included in the breach to verify if the information leaked about them was accurate. All five replied to confirm that the information Hunt had found was true. "This thing is so freaking huge. This is very sensitive data," Hunt said, referring specifically to unencrypted passport information of overseas Filipino voters. "With it being leaked, we might be looking at the revocation of these passports."
Analysis of the data by computer security firm Trend Micro also found fields headed 'VOTESOBTAINED', which suggests the system may have been intended for counting votes for candidates. A vote to elect a new president and vice president will take place on May 9.
Comelec has since said that it would be using a "different website" for collecting and reporting results. "The election results website will be very secure. It will be hosted somewhere else. It will have its own set of security features which are different and of a higher quality than the one we are using now," Comelec spokesperson James Jiminez told reporters on March 29.
The data breach in the Philippines is the latest in a worrying trend of government security failures. In June 2015 hackers attacked the United States Office of Personnel Management and made away with personal information relating to 21 million people, including 5.6 million fingerprint records.
Earlier this month, a breach of Turkey's government servers led to the personal data of 50 million citizens being posted online. The data, which has been verified as authentic, included the names, addresses, parents's first names, cities of birth, birth dates and the nation identification number used by Turkish authorities.
Updated 15/04/16, 13:33: Some mentions of the Philippines' Commission on Elections (Comelec) incorrectly abbreviated it to Comolec. This has now been corrected.