Fingerprints and facial recognition data exposed in major breach
More than one million fingerprints and a host of usernames and passwords have been exposed on an unsecured database hosted by a security platform that lists the Metropolitan Police among its clients.
Researchers claim to have discovered the publicly accessible information on the web-based BioStar 2, which is owned and operated by South Korean company Suprema.
The firm describes itself as a “global powerhouse in biometrics, security and identity solutions” and sells its services to thousands of organisations around the world, including businesses, banks and Scotland Yard.
BioStar 2 is a security system that allows biometrics to be used to grant people access to buildings and other restricted areas.
It hosts an enormous amount of fingerprint and facial identification data – plus the usernames and passwords associated with them.
Internet privacy researchers Noam Rotem and Ran Locar, of vpnMentor, say they discovered that BioStar 2 had been breached on 5 August and that it was not resolved for eight days.
In a report published on the vpnMentor website, they said: “This is a huge leak that endangers both the businesses and organisations involved, as well as their employees.
“Our team was able to access over one million fingerprint records, as well as facial recognition information – combined with the personal details, usernames and passwords, the potential for criminal activity and fraud is massive.”
The pair said Suprema had been “generally very uncooperative” since being made aware of the issue, which saw them able to access more than 27.8 million records totalling 23GB of data.
Among the information seen were entry and exit times, home addresses and emails.
But they said the potential for biometrics to be stolen was of greatest concern, adding: “Facial recognition and fingerprint information cannot be changed. Once they are stolen, it cannot be undone.”
As well as fraud, they said victims could be at risk of blackmail, extortion and theft.
Security experts have described the scale of the leak as “disturbing”.
Piers Wilson, of cyber security firm Huntsman Security, told: “The huge quantity of sensitive personal information, such as biometric data, that has potentially been exposed to cyber criminals as a result of poor cyber security practices by Suprema is disturbing to see.
“Such basic mistakes, including not encrypting data and making admin passwords easily accessible, are easy to avoid and there should have been steps taken to better protect systems.
“This breach is just another example of why cyber security must be taken more seriously in all businesses.”
John Sheehy, director of strategic security services at research company IOActive, said: “The more secure an organisation itself is, the more attractive that organisation’s supply chain becomes in the mind of the attacker – and you can’t get any more secure than a government, bank or police force.
“An attacker wants to find the easiest pathway to get into the network so oftentimes, it’s the supplier who has an exploitable vulnerability that can get them full access into the original target’s network.”