A significant data breach involving biometric images and personal details from DNA testing company ChoiceDNA has been discovered by cybersecurity researcher Jeremiah Fowler. Fowler reported the breach to vpnMentor, revealing that approximately 8,000 sensitive documents, including biometric images and metadata, were accessible to the public without any password protection.
The exposed data, stored in an unsecured WordPress folder, included not only facial recognition images but also personally identifiable information (PII) such as names, phone numbers, email addresses, and even sensitive notes regarding the reasons for DNA face matching tests.
Fowler’s findings suggest that this data was available for an unknown period, and the security flaw was only closed a week after it was reported. The extent of access to the compromised data remains unclear, pending a forensic audit.
ChoiceDNA, an Indiana-based firm offering DNA testing and facial recognition services, could face ethical and legal challenges regarding this exposure. Some U.S. states have enacted stringent biometric privacy laws, and the Federal Trade Commission (FTC) has highlighted the risks associated with the misuse of biometric data, including potential fraud and impersonation.
The incident raises serious concerns about the security practices of companies handling sensitive biometric information, particularly those relying on WordPress for data storage. Experts recommend more secure alternatives like cloud-based solutions to prevent such vulnerabilities, along with additional protective measures like two-factor authentication (2FA) and Web Application Firewalls (WAF).
