ChiceDNA exposed 8,000 sensitive records, including biometric images, personal details, and facial DNA data in an unsecured WordPress folder. Privacy concerns highlight the need for stronger data protection.
An Indiana-based genetic DNA testing and facial matching service provider exposed thousands of customers’ personal, biometric, and PII data. This incident was reported to Hackread.com by cybersecurity researcher Jeremiah Fowler, known for identifying and reporting misconfigured databases to companies before malicious actors exploit them.
The problematic aspect of this incident is that there was no misconfigured database or a compromised cloud server this time. It was just an unsecure WordPress folder hosting a treasure trove of sensitive data left for public access without any password or security authentication.
The exposed data comprised around 8,000 documents. It included biometric images, names, phone numbers, email addresses, racial or ethnic identities, and personal notes detailing reasons for seeking facial DNA analysis. The exposed information also includes records of vulnerable individuals, including newborn children.
These records were stored in a non-secure WordPress folder titled “Facial Recognition Uploads,” accessible to anyone with a web browser. The exposure lasted for an unknown duration, raising concerns about the potential misuse of this sensitive information.
In his report for vpnMentor shared with Hackread.com ahead of publishing, Fowler explained that Biometric data, such as facial recognition information, is highly sensitive and can be used to identify individuals, track their movements, and even manipulate their identities through deepfakes. Collecting, storing, and analyzing such data without explicit consent is a serious violation of individual privacy.
Metadata, the information that describes, organizes, and manages data, can also pose significant risks. In this case, the exposed metadata included personally identifiable information (PII) such as names, emails, and phone numbers. This information could be exploited for phishing, social engineering, or blackmail attempts.
For your information, ChoiceDNA is an Indiana-based company that offers DNA testing and facial recognition service called FACE IT DNA It uses facial comparison technology to analyze images to determine the likelihood of a genetic link between family members. The BASIC package is $38, while the PRO package is $63.
Fowler sent the company a responsible disclosure notice after which the database was promptly secured. Still, such incidents show the importance of secure data storage practices. WordPress, while a popular content management system, can be vulnerable if not configured correctly. The exposed data in this case was stored in a non-secure WordPress folder, highlighting the need for robust security measures to protect sensitive information.
Companies and users/customers with known data exposure should immediately change passwords and avoid reusing the same passwords for multiple accounts. Create strong, unique passwords for each account and enable two-factor authentication (2FA) as an additional layer of security.
Be cautious when exposing emails and phone numbers, as potential phishing attempts or suspicious requests for additional information can occur. Verify requests for sensitive information, such as banking or credit card information, to ensure the person on the other end and the request are legitimate.
RELATED TOPICS
- Data of 7 Million 23andMe Users from DNA Service Hacked
- Researchers Encode Physical DNA with Malware to Infect PC
- DNA testing website MyHeritage hacked; 92M user accounts stolen