Recent data breaches in Mexico have raised concerns around the initiatives of private and public institutions of gathering biometric data.
On January 23, the Mexican ONG “Network in Defense of Digital Rights” (R3D) reported a significant data breach. In a press release, R3D informed that databases of private banks and Mexican institutions were put on sale in an Internet forum on January 22.
Banks involved are Spanish firms Santander and BBVA. Meanwhile, the database of the Mexican Institute of Social Security also was compromised.
Two Twitter accounts of computer security experts initially reported the leaked databases.
On Sale: Sensitive private data of users
BBVA database compromised personal data such as the person’s full name, address, telephone number, and Tax IDs. In the case of the Santander database, in addition to the above information, the seller leaked the account number of each user.
The leaked IMSS database also includes data such as the name and address of the employer, as well as the name, affiliation number, CURP, and base salary of the worker.
The database of BBVA put on sale contains one million records. Meanwhile, Santander’s database includes three million, while IMSS’s database consists of 42 million records.
In addition to these institutions, other databases of Mexican companies and institutions have been put on sale on the dark web. According to R3D information, another seller offered on January 25 the database of companies such as Coppel, Banamex, and Movistar, as well as organizations such as the Federal Electricity Commission, the National Electoral Institute, the Institute of Social Security, and Services of State Workers, and the Institute of the National Housing Fund for Workers, among others.
Sale of private data on the dark web
On Twitter, the director and founder of the security firm Seekurity Hiram Camarillo and the Bank Security group denounced the leaks and described their contents.
In the case of Bank Security, the team achieved to contact the seller. They said that he “has a good reputation in dark web forums and therefore it may be true that the database is real.”
Data Breaches in Mexico warns about threats of biometric data
The R3D organization expressed its concern about the lack of security that companies and government organizations in Mexico have in the management of their databases. For the organization, the incidents “are a reminder of the duty that companies and obligated subjects have in the protection, treatment, and transfer of personal data.”
These leaks leave a bad precedent. R3D pointed out that it’s a warning about the risks of creating centralized databases such as the one planned for the National Register of Mobile Phone Users. The ONG stressed that there are no due security guarantees.
R3D also stressed that companies must notify users when they have been affected by data breaches in Mexico. However, neither BBVA nor Santander had so far issued any pronouncement on the disclosure of these databases.
For R3D, the security problems revealed indicate that companies should curb their efforts to collect and store biometric information since its leakage can have worse effects on users.
Read also: AI is dumb (and police should know it)