The El Salvador data breach includes selfies and ID numbers for 80% of the country’s population

Organizations that store credential data to perform facial biometric matching should not store that data in unencrypted form. However, this basic requirement for best practices seems to be lost on many organizations, with the latest example being a database of Salvadorans’ personal information leaked onto the dark web.

More than 5.1 million records of personal data, including high-definition facial photos with the person’s El Salvador National Identity Document (DUI) number, have been made available for free on the dark web, Resecurity reports. The cybercriminal responsible for the data dump appears to have first tried to sell the leaked personal information.

The amount and nature of the data has given rise to speculation on social media (caveat emptor) that the breach comes from the national digital wallet Chivo.

However, the source of the data and the party that leaked it remain uncertain. Resecurity notes a possible connection with the well-known hacker group Guacamaya, which has attacked governments and companies in several Latin American countries. The data dump was posted to a hacker forum by a user with the alias “CiberinteligenciaSV.”

The data includes people’s full name, date of birth, phone number and email and physical addresses, in addition to national identity information and selfie photos. The number of records represents approximately 80 percent of El Salvador’s total population, or almost the entire adult population.

The data seems unlikely to help a hacker trying to bypass an onboarding or access control system secured with presentation attack detection, but could be useful for defeating systems so negligent of cybersecurity best practices as the source of the data.

If the facial images had been stored properly, as encrypted templates in a separate database from the rest of the personal data, they would have had no practical value to the party that exfiltrated them, or to anyone else.

Storing the data in a way that no privacy or biometrics professional would recommend is one problem, but linking the ID number and other personal information could make the breach significantly more damaging. Many people’s facial photos may have been available and linked to their names on social media accounts, for example, but the breach appears to make Salvadorans relatively easy targets for cybercriminals looking to open accounts under fake names, which would normally require them to collect other information . in the leaked database.

Resecurity notes a Reuters report that Latin America had the highest share of unprotected data of any region in the world in 2022.

Article topics

biometrics | Chivo | data privacy | El Salvador | facial biometrics | identity management | national identity card