The Permanent Price of Losing Your Biometric Identity

As biometric data grows as an authentication method, it introduces new and permanent security vulnerabilities. Since biometric data cannot be changed, if it is stolen once, it becomes a lifetime risk for the affected individuals. Mexico, which experienced over 1.77 billion attempted cyberattack during 1Q25, an average of 59 million daily attacks, should pay attention to this permanent damage.

"Biometrics are changing the way we validate our identity... their adoption poses new security challenges," writes Maria Manjarrez, Security Researcher in the Global Research and Analysis Team for Latin America, Kaspersky, in a press release. “It is not about being afraid, it is about creating a digital environment where both users and organizations adequately protect this data.” The problem is not the technology itself, but the infrastructure and protocols that support it, says Manjarrez. 

Biometric data has become a supplement, in some cases a replacement, to traditional authentication methods like the well-known passwords. It is rarely-mentioned that we use these authentication methods every day for numerous activities, such as accessing cell phones, bank accounts, sports centers, houses/apartments, offices, and official documents, among others. Its main appeal is that the uniqueness of an individual's physical characteristics, like fingerprints, face recognition, or iris, offers a higher, in the past breach-proof, level of security.

“This security mechanism gave [companies] an advantage over their rivals. It was 2013 and people could unlock their devices, download applications, and authorize purchases simply by placing their fingerprint on the smartphone's reader,” writes Ana Vázquez, Media Technique, Telefónica. “Afterwards, the rest of the technology companies with a good position in the market began to incorporate this system, popularizing its use not only in the cell phone sector, but also in others such as the healthcare, financial, or automotive sectors.”

However, one cannot change their biometric solutions, and that is their main vulnerability. While passwords can be revoked and replaced after a security breach, a compromised biometric identifier is a perpetual vulnerability for the affected individual, reports the Office of the Victorian Information Commissioner (OVIC).

In addition, biometric identity theft can be easy. Unlike a password, which can be stored in a person’s mind, biometric data exists in the physical world and must be captured and digitized. This process creates multiple points of failure. According to Cyber Security Intelligence, data can be stolen in many ways: 

• At the point of collection: Malicious actors can compromise the scanners or cameras used to capture the data, intercepting it before it is even secured.

• During transmission: If the data is not sent through an encrypted channel from the device to the server, it can be captured in a "man-in-the-middle" attack.

• From storage: Most often, biometric data is stored in large, centralized databases, which are high-value targets for hackers.

Increasingly, attackers are weaponizing facial recognition with advanced AI-powered malware to generate highly convincing "deepfake" images and videos, which can bypass even systems with liveness detection. These tools allow intruders to impersonate authentic users with unexampled precision, fueling a black market where stolen or synthesized biometric data is sold for identity theft, fraud, and other cyberattacks.

Even before the recent technology revolution the pandemic brought over all industries, biometric data was at risk. In 2019, Kaspersky reported that equipment that collects and stores biometric data suffered a 37% infection attempt rate, which shows that attack entry points are multiple and present throughout the information processing chain. 

The question remains: "is it that bad if cybercriminals get access to my biometric data?"

Once biometric data is compromised, "it can be used to impersonate a person, access confidential information or even cause physical harm," reports TrustCloud, which offers solutions to prevent fraud in regulated sectors. In the article “These are the Dangers of Selling Your Biometric Data,” TrustCloud explains that surrendering this information is equivalent to "sending copies of our identity documents without any kind of filter," opening the door not only to impersonation, but also to having one’s data being sold to malicious actors.

"The main consequence of giving criminals control of all your accounts through fingerprint and facial recognition is financial harm,” says Rogelio Garduño, Executive Director of Fraud Prevention and Claims, Scotiabank, to MBN. “[Criminals] can open 'mule accounts' in your name, exposing you to illicit activities like money laundering, or even obtain official documents like passports to commit acts that could compromise your personal integrity."

Beyond the financial risks, there is the possibility of electoral fraud or, in the most serious scenario, that the theft of biometric identity would "pave the way to commit physical crimes." This could make it easier for criminals to access restricted areas or help them impersonate you to commit other criminal acts, says TrustCloud.

"The problem is evolving from simple theft to sophisticated forgery. If an institution lacks an efficient infrastructure to detect a 'live' biometric signature, these forgeries can be easily exploited,” says Garduño. “Many places are still not taking the adequate measures to safeguard the biometric data they capture, leaving individuals permanently exposed to fraud."

Mexico: A Highly Vulnerable and Potentially Lucrative Victim

This significant, and permanent, threat is rapidly evolving and gaining relevance. The latest report exposing this trend, which dates back to 2022, shows that 13% of the Mexican population suffered identity theft from personal data misuse, representing 17 million people, according to the National Population Council (CONAPO). 

This scenario is further compounded by Mexico's position as a prime target for cybercriminals. In 2024, the country suffered 31 million successful attacks (accounting for 55% of all attacks in Latin America), according to Teramind. During 1Q25, Mexico experienced over 1.77 billion attempted cyberattack, translating to an average of 59 million daily attacks, which represents a 65% growth compared to the previous quarter.

“The internet is growing at a 23% rate, while the economy is growing at 1%. That means Mexico is quickly becoming a digital economy, which makes it a more coveted target for cybercriminals,” says Carlos Torales, Vice President for Latin America, Cloudflare, to El Economista.

Beyond the threat they pose to individuals and companies, biometric theft can also put a country’s critical operations at risk. SILIKN reports that cyberattacks to key infrastructure systems have surged by 65%. These are the facilities and assets that are “vital to the functioning of society and the economy,” says IBM.

Industrial control systems (ICS), which are prevalent in sectors such as energy and manufacturing, are particularly susceptible, reports MBN. These systems were designed without modern cybersecurity standards, presenting a broad and unprotected attack surface. For example, SILIKN shows that 71.1% of security incidents reported in critical infrastructure during 2024 involved the exploitation of flaws in ICS.

IT security industry pioneer ESET, which protects over 110 million users worldwide, reports that cyberattacks on critical infrastructures “have left large traces in the countries where they occurred.” For example, the BlackEnergy incident left thousands of Ukrainians without electricity as a result of a Russian attack in 2015. Some attacks do not have financial targets, aiming only to cause harm. For example, in Florida, an attacker manipulated sodium hydroxide (lye) levels at a water treatment plant in an attempt to poison the community. If ingested, lye “can cause spontaneous vomiting, abdominal, and chest pain, difficulty swallowing, excessive salivation, and corrosive wounds,” reports ESET.

How Can Companies Protect Their Biometrical Data?

To mitigate these risks, Kaspersky says that organizations must adopt a multilayered and proactive security approach. “Implementing protective measures is not optional but a requirement for business continuity and corporate liability management,” says Kaspersky in a press release. The company suggests focusing on:

• Infrastructure Isolation and Hardening: Organizations should minimize the exposure of their biometric systems to public networks like the internet. The infrastructure architecture must be designed with a "security by design" approach, where cybersecurity controls are integrated from the conception phase.
• Personnel Training and Specialization: The human element remains a critical link. It is essential to continuously train personnel who manage and operate biometric systems. Having specialized cybersecurity teams allows for real-time monitoring, effective incident management, and continuous risk assessment.
• Threat Intelligence and Proactive Audits: Organizations must provide their security teams with access to threat intelligence platforms. This allows them to anticipate attacker tactics, techniques, and procedures (TTP). Conducting regular security audits and penetration tests is also recommended to identify and correct breaches before they are exploited.
• Transparency and Data Governance: Building customer trust and complying with data protection regulations require transparent communication about how biometric data is collected, stored, and used. Policies must clearly define who has access to the information and the response protocols in the event of a data leak.