Let me explain the biometric authentication process. The first step is enrollment which consists in acquiring the desired biometric trait, let's say fingerprint, by using the required sensor. Then a biometric template is created. Based on that biometric template the authentication is done. A long time ago, when biometrics were first introduced, this template was represented by the images of the fingers - I'm referring to fingerprint usage by law enforcement.
Ratha, Connell and Bolle introduced the concept of cancelable biometrics. According to the same authors classic biometric information storing has the following issues:
- Biometric data is not secret - a face can be photographed, the finger print can be taken from a glass, a voice recorded. Tsutomu Matsumoto et al. demonstrate how fingerprints gathered without user knowledge can be forged.
- Biometric data can't be revoked - your password was compromised. No problem, a new one will be issued. What about your fingerprints? Chopping the fingers off and replacing them that's hard, especially the replacing part. When a biometric trait is compromised that type of biometrics can't be used.
- Permanent tracking record - biometric data can be successfully used to track a user.
I'm not arguing that the breach might not a real threat. I'm sure it might be, because from my experience most companies don't secure their databases. The best example, which is valid even today, is password encryption. Most sites still don't encrypt user passwords. If they get hacked the hackers will have a list with usernames (aka emails) and passwords. Knowing that most users have the same password everywhere, the first thing a hacker will do is to hack the user email using the same password. The sad part is that he will succeed in most cases.
My point is that most of the biometric systems today should use a form of cancelable biometrics for storing the templates. When we see news like this a lot of people panic. Unfortunately the people reporting this news don't elaborate on the details, which in this case are crucial.