A recent data breach at ChoiceDNA, a company that provides DNA testing and facial recognition services, has exposed thousands of biometric records, raising concerns over the security of sensitive personal data. An estimated 8,000 facial recognition files were discovered in an unprotected folder, leaving them vulnerable to unauthorized access. The breach has sparked renewed attention to the risks associated with biometric data and how companies are managing its security.
The exposed documents were tied to ChoiceDNA’s FACE IT DNA service, a platform that uses facial recognition to help determine genetic relationships, such as paternity or family ties. The service, as described on the company’s website, compares over 68 facial features to draw connections between alleged family members using uploaded photographs.
Biometric data, including facial recognition images, is particularly sensitive because it is both permanent and irreplaceable. Unlike traditional passwords, which can be changed if compromised, biometric identifiers like facial features or fingerprints cannot be altered. This makes the exposure of such data particularly dangerous, with far-reaching consequences for privacy and security.
Uncertainty Lingers After Breach
Although the files have since been taken offline, it remains unclear how long they were publicly accessible or if any malicious actors accessed them. The cybersecurity researcher who discovered the breach immediately reported it to ChoiceDNA, but the company has not responded to the disclosure, leaving many questions unanswered.
It is also unclear whether the company itself managed the system where the data was stored or if a third-party contractor was responsible for securing the information. Without an in-depth forensic audit, it is impossible to determine the extent of the breach or if other sensitive data was compromised.
The lack of communication from ChoiceDNA has drawn criticism from privacy advocates, who argue that companies handling biometric information have a duty to be transparent with customers and the public following any security incidents.
The Dangers of Biometric Data Exposure
The breach at ChoiceDNA brings to light the broader risks posed by the collection and storage of biometric data. Biometric information—including facial recognition, fingerprints, and DNA—is becoming increasingly common as a method of identity verification, but its unique nature also makes it highly vulnerable to misuse.
Biometric data is permanent and cannot be changed, making it valuable for cybercriminals. If stolen, it could be used to create fake identities, gain unauthorized access to personal accounts, or even produce deepfakes—convincing but fraudulent videos or images that impersonate real people. As deepfake technology improves, the misuse of exposed biometric data for impersonation, fraud, or defamation becomes a growing concern.
The Federal Trade Commission (FTC) has warned that as biometric data becomes more integrated into everyday life, it presents new privacy challenges. In a 2023 policy statement, the FTC noted that the misuse of biometric information could lead to serious harms, including identity theft and the production of counterfeit media like deepfakes. Large-scale biometric databases, like the one at ChoiceDNA, also become lucrative targets for hackers.
Growing Pressure for Regulation
The ChoiceDNA breach comes at a time when several U.S. states are taking steps to regulate the use of biometric data. Illinois, Texas, California, and New York have already enacted laws that require companies to obtain informed consent before collecting biometric data and to implement strict security protocols to protect that data. Meanwhile, other states, including Florida, Maryland, and Arkansas, are in the process of developing similar regulations.
Advocates for stronger privacy protections argue that these laws are necessary as more companies collect biometric information without clear standards for securing it. The lack of a federal biometric data law has led to a patchwork of state regulations, creating inconsistencies in how biometric data is handled across the country.
“Biometric data is becoming central to our lives, from unlocking our phones to accessing our bank accounts,” said Jessica Walton, a data privacy expert. “But the consequences of a biometric breach are much more serious than traditional data breaches because this information is unique and can’t be changed.”
A Need for Greater Accountability
In the aftermath of the ChoiceDNA data breach, many are calling for more accountability and transparency from companies that collect sensitive biometric data. The breach exposed thousands of individuals to potential privacy risks, yet the company has remained silent, leaving affected customers uncertain about the safety of their personal information.
Experts recommend that individuals whose data may have been exposed closely monitor their financial and online accounts for signs of identity theft or fraud. They also suggest reaching out to ChoiceDNA to inquire about the deletion of personal data and to ensure it is no longer stored in the company’s systems.
The breach serves as a reminder of the potential dangers of storing large amounts of biometric information without robust security measures in place. As the use of biometric data continues to expand, companies must prioritize protecting this sensitive information, and consumers should be aware of the risks involved in sharing their biometric data with third-party services.
While the full impact of the ChoiceDNA breach remains unknown, it has intensified the discussion around data security and privacy in the digital age. Both businesses and policymakers will need to work together to ensure that biometric data is handled responsibly and securely in the future.