Facial DNA provider leaks biometric data via WordPress folder

ChiceDNA exposed 8,000 sensitive records, including biometric images, personal information and facial DNA data, in an unsecured WordPress folder. Privacy concerns highlight the need for stronger data protection.

An Indiana-based provider of genetic DNA testing and facial recognition services exposed the personal, biometric and PII information of thousands of customers. This incident was reported to Hackread.com by cybersecurity researcher Jeremiah Fowler, who is known for identifying and reporting misconfigured databases to companies before malicious actors exploit them.

The problematic aspect of this incident is that this time there was no misconfigured database or compromised cloud server. It was just an insecure WordPress folder containing a treasure trove of sensitive data that was made available for public access without a password or security authentication.

The disclosed data included around 8,000 documents. It included biometric images, names, phone numbers, email addresses, racial or ethnic identities, and personal notes detailing the reasons for seeking facial DNA analysis. The information disclosed also includes records of vulnerable people, including newborn children.

These records were stored in a non-secure WordPress folder titled “Facial Recognition Uploads,” which can be accessed by anyone with a web browser. The disclosure took an unknown amount of time, raising concerns about possible misuse of this sensitive information.

In his report for vpnMentor shared with Hackread.com ahead of publication, Fowler explained that biometric data, such as facial recognition information, is highly sensitive and can be used to identify people, track their movements, and even manipulate their identities through deepfakes. Collecting, storing and analyzing such data without explicit consent constitutes a serious invasion of individual privacy.

Metadata, the information that describes, organizes, and manages data, can also pose significant risks. In this case, the metadata exposed included personally identifiable information (PII) such as names, emails, and phone numbers. This information could be exploited for phishing, social engineering, or extortion attempts.

FYI: ChoiceDNA is an Indiana-based company that offers DNA testing and a facial recognition service called FACE IT DNA. It uses facial comparison technology to analyze images and determine the likelihood of a genetic connection between family members. The BASIC package costs $38 while the PRO package costs $63.

Fowler sent the company a responsible disclosure notice, and the database was immediately backed up. Nevertheless, such incidents show the importance of secure data storage practices. Although WordPress is a popular content management system, it can be vulnerable if not configured correctly. The exposed data in this case was stored in a non-secure WordPress folder, highlighting the need for robust security measures to protect sensitive information.

Companies and users/customers with known data exposure should change their passwords immediately and avoid reusing the same passwords across multiple accounts. Create strong, unique passwords for each account and enable two-factor authentication (2FA) as an additional layer of security.

Be careful when giving out emails and phone numbers as this can result in potential phishing attempts or suspicious requests for additional information. Verify requests for sensitive information, such as bank or credit card information, to ensure that the person on the other end and the request are legitimate.

RELATED TOPICS

1. Data of 7 million 23andMe users hacked from DNA service
2. Researchers encrypt physical DNA with malware to infect PC
3. DNA testing website MyHeritage hacked; 92 million user accounts stolen