El Salvador data breach includes selfies and ID numbers for 80% of country’s population

By Chris Burt

Organizations storing reference data to perform face biometrics matches should not store that data in unencrypted form. This basic best practice requirement appears to be lost on many organizations, however, with a database of Salvadorans’ personal information leaked on the dark web the latest example.

More than 5.1 million records of personal details, including high-definition facial photos labelled with the individual’s El Salvador national ID document number (DUI), have been made available for free on the dark web, Resecurity reports. The cybercriminal responsible for the data dump appears to have first attempted to sell the breached personal information.

The number and nature of the records has prompted speculation on social media (caveat emptor) that the breach is from national digital wallet Chivo.

The source of the data and the party that breached it, however, remain uncertain. Resecurity notes a possible connection to known hacker group Guacamaya, which has attacked governments and businesses in several Latin American countries. The data dump was posted to a hacker forum by a user with the alias “CiberinteligenciaSV.”

The data includes people’s full name, date of birth, telephone number, and email and physical addresses, in addition to the national ID information and selfie photos. The number of records represents approximately 80 percent of El Salvador’s total population, or almost all of its adult population.

The data seems unlikely to help any hacker attempting to defeat an onboarding or access control system protected with presentation attack detection, but could be useful for defeating systems as negligent of cybersecurity best practices as the source of the data.

If the facial images had been stored properly, as encrypted templates held in a different database from the rest of the personal data, they would have had no practical value to the party that exfiltrated them, or anyone else.

Storing the data in a way no privacy or biometrics professional would recommend is one problem, but attaching the ID number and other personal information could make the breach significantly more damaging. Many people’s facial images may have been available and associated with their names on social media accounts, for example, but the breach appears to make Salvadorans relatively easy targets for cybercriminals looking to open accounts under assumed names, which would normally require them to gather other information contained in the leaked database.

Resecurity notes a report by Reuters that Latin America had the highest share of unprotected data of any region in the world in 2022.

Source: Biometric Update

Chris Burt is managing editor and industry analyst at Biometric Update. He has also written nonfiction about information technology, dramatic arts, sports culture, and fantasy basketball, as well as fiction about a doomed astronaut. He lives in Toronto. You can follow him on Twitter @AFakeChrisBurt.

Become a Patron!
Or support us at SubscribeStar
Donate cryptocurrency HERE

Subscribe to Activist Post for truth, peace, and freedom news. Follow us on SoMee, Telegram, HIVE, Minds, MeWe, Twitter – X, Gab, and What Really Happened.

Provide, Protect and Profit from what’s coming! Get a free issue of Counter Markets today.

Activist Post Daily Newsletter

Subscription is FREE and CONFIDENTIAL
Free Report: How To Survive The Job Automation Apocalypse with subscription