Antheus Tecnologia Biometric Data Breach: Audit Essay And Solutions.

The business of Antheus Tecnologia is a Brazilian biometric company which provided technological security support to companies and the business was one of the first to operate as an Automated Fingerprint Identification System (AFIS) developer and distributor. The business had a policy of maintaining fingerprints of its client’s organization’s employees and further had access to personal information. The problem which arise was related to a major breach of data in March of 2020 which exposed 76,000 fingerprints from an unsecured server. The server contained binary data streams and not the actual data scans and therefore this made the hacking process easy for the hackers as they only had to duplicate the fingerprints (Antheus Tecnologia Biometric Data Breach – 7 Defence 2021). The fingerprints which were hacked are on a public domain and therefore this makes the same viable to be used for other unethical uses in future. Along with the fingerprints, the breach also revealed that important information like email IDs and telephone numbers of the employees were also lost which can be regarded as a major breach.

The breach of its client’s data was a major loss for the business and this affected the reputation of the company in the market. In terms of social damage, there has none been reported but there is a high possibility that the information stolen would be used for an unethical purpose. The breach itself impacted the company and revealed that the internal control of the business was quite weak.

The operational processes which Antheus Tecnologia follow is fully based on information security and the business follows an innovative framework so that advance security products can be provided to its clients. The breach which took place directly raised questions on the integrity of the controls and further on the products which was developed by the business (Biometrics company2020). Some of the prominent risks which can be identified for the business are listed below:

• Network Security Risks: The network which was maintained by Antheus Tecnologia was not much secure and neither was much systematic. Further the network which the business used to store data was not at all secure which the management of the company openl;y ignored. As per the case information, the server contained 16 gigabytes of data, with 81.5 million records. These records stored covered admin register, phone numbers of employees and also their email IDs. The case reveals that more data was available but the same was not lost which can be considered a miracle only.
• Database system risks: The database management system for the company was flawed from the beginning as information was stored in unsecured network. The storage of information raised questions on the internal control framework of the business and further the technology level which was followed by the business. The risk in database management system directly implied that data loss was imminent and this basically reflects weaknesses in the internal control system(Gray 2015).
• Ineffective management of data risks: The senior management of the company should have been responsible for managing the data of the client and ensure that actual fingerprints were properly encoded. The business further did not have proper backup plan regarding the fingerprints as if the management had maintained a hash then the lost fingerprints could have been reverse engineered. The encryption level of the data was also ordinary which clearly shows that the management was not ready for such a breach and this is major indication that the management did not manage its operations in an appropriate manner.

In case an auditor is engaging with such an audit program, the first step is to assess the internal control of the business so that risks can be identified and accordingly the auditor can follow audit plan (Newmark, Dickey and Wilcox 2018). The main risks which has been identified for the audit engagement are appropriately listed below along with the audit objectives and relevant procedures which are applicable to the situation.

Network Security

Audit Plan: To assess the efficiency of the network and ensure that the data is properly encrypted.

Audit objectives

• Confirmation of the network controls so that the effectiveness of the system can be assessed.
• Assess the data set which is maintained by the business and ensure that the same is accurate in every manner..
• Assess the internal control of the business so that proper estimation can be made on its strength and weaknesses.

• The auditor would be looking to assess the internal control and thereby would be looking to apply compliance procedures (Alles and Gray 2020)
• The auditor would be checking the safety systems installed such as the firewall and anti-virus software in order to ensure that the same are relevant and updated.
• The auditor would apply observation technique to assess the entering of data into the system.

Audit Plan: Assessing the database storage system and backup control system which the business utilizes

• The access to the database management system needs to be ascertained.
• Further an assessment needs to be made on the efficiency of the backup system
• To ascertain whether the storage of data and its controls are secured or not.

• Undertake procedures to ensure that a security key or password is used for the data base system and also for the backup drives..
• Assess the backup register to determine whether the backups are performed in a timely manner or not.
• Observe the workings of the database administrator so that weaknesses can be identified.

Audit Plan: Inappropriate management of data

• Data management process for the business needs to be verified for accuracy purposes
• Assessment of whether the data set incorporated in the system are encrypted or not and whether the fingerprints entered have been hashed or not for the purpose of better security.

• The auditor would be checking the employee list and check whether the person appoint has the necessary skills to handle the data management process.
• The auditor would follow the data entry process to assess its efficiency..

Some of the obvious questions which the auditor would raise to test the efficiency of the network system are appropriately listed below:

• What are the steps which the business take for preparing the IT structure?
• How many people have access to data base system and fingerprints of the clients and whether they have proper clearance or not?
• Whether the employees have proper job training and necessary skills to undertake the work?
• How does the business maintain a proper audit trial for the auditing process at the end of the period?

Some of the prominent documentation which is mandatory for conducting IS audit are in an appropriate manner are:

• Information Systems policy guidelines
• Job protocols for all employees
• Code of conduct and working hours information

Some of the obvious questions which the auditor would raise for analyzing the data management system in terms of the business are listed below:

• Does the business maintain a login register to track every day login activities with time?
• Whether the business follows an authorization policy for accessing the database or not?
• What is the interval between internal checks are undertaken for the system for any malware or viruses?

Some of the prominent documentation which is required for conducting IS audit are in an appropriate manner are:

• Register showing login details
• Verification forms and access passwords
• Register showing maintenance data.

Some of the important recommendation which can be recommended to the executives of Antheus Tecnologia for undertaking change management plans are listed below in details:

• The management needs to undertake appropriate steps for ensuring that regular internal checks are undertaken so that any software which is foreign or malware can be identified and accordingly the same needs to be removed from the system(Kim et al. 2017).
• The management of the company needs to utilize Hashed finger prints instead of regular fingerprints so that a level of confidentiality is maintained and further the business can avoid instances of duplication of the fingerprints.
• The management of the company needs to undertake appropriate steps for ensuring that access to the main server is restricted to few people and thereby efficiency is maintained.
• The management of the company needs to ta undertake appropriate steps for updating the records and also the technological level of the database so that malware or any viruses cannot infiltrate the system and thereby effectiveness can be maintained(Younas and Kassim 2019).

Conclusion

The analysis which is undertake above appropriately shows that the breach of data and personal information of the employee is mainly due to the mismanagement of the executives. The analysis above shows that the network where the data was actually stored was unsecured and further no proper encryption and encoding was done to the data which made it quite easy for anyone to duplicate the same. In addition to this, the analysis above further shows the procedures which an auditor would undertake to assess the IS risks and further suggest appropriate measures so that risks can be mitigated. The analysis covered above also shows some recommendation which can be implemented by the business to restore the integrity of the internal control and further ensure that such an incident does not take place in future.

 Reference

Alles, M.G. and Gray, G.L., 2020. Will the medium become the message? A framework for understanding the coming automation of the audit process. Journal of Information Systems, 34(2), pp.109-130.

Antheus Tecnologia Biometric Data Breach – 7 Defence (2021). Available at: https://7defence.com/antheus-tecnologia-biometric-data-breach/

Biometrics company leaves unhashed fingerprint data of thousands exposed to internet | Biometric Update (2020). Available at: https://www.biometricupdate.com/202003/biometrics-company-leaves-unhashed-fingerprint-data-of-thousands-exposed-to-internet (Accessed: 28 March 2021).

Gray, I., 2015. The audit process: principles, practice & cases.

Kim, S.L., Teo, T.S., Bhattacherjee, A. and Nam, K., 2017. IS auditor characteristics, audit process variables, and IS audit satisfaction: An empirical study in South Korea. Information Systems Frontiers, 19(3), pp.577-591.

Newmark, R.I., Dickey, G. and Wilcox, W.E., 2018. Agility in audit: Could scrum improve the audit process?. Current Issues in Auditing, 12(1), pp.A18-A28.

Younas, A. and Kassim, A.A.M., 2019. Essentiality of internal control in Audit process. International Journal of Business and Applied Social Science, 5(11), pp.1-6.