Biometric data of more than million users exposed

Information includes fingerprints, facial recognition information, unencrypted usernames and passwords, etc

A biometrics system used by banks, governments and defence companies has suffered a major data breach, revealing the fingerprints of more than one million people as well as their facial recognition information, unencrypted usernames and passwords, and other personal information.

BioStar 2, a web-based biometric security smart lock platform managed by security company Suprema, uses fingerprints and facial recognition technology to give authorised individuals access to buildings. Last month the platform was also integrated into another access system - AEOS - which is used by 5,700 organizations across 83 countries, including some of the biggest multinational businesses, many small local businesses, governments, banks, and even the UK Metropolitan Police. 

Its security flaw was picked up by Israeli researchers Noam Rotem and Ran Locar, from VPN review service vpnmentor. In a routine network scan conducted last week, the pair found that BioStar 2's database was publicly available, and that by manipulating URL search criteria they were able to access nearly 28 million records and 23GB of data, including fingerprints, facial recognition data, passwords and security clearance information.

Since the breached information included usernames and passwords, the company warned it could allow would-be hackers to create or modify user credentials, allowing them access to any building secured using BioStar 2. The breach could also have implications for any employees enrolled in the security system. Personal information exposed could be used to commit identity fraud, and the fingerprint data (which was stored in an unencrypted format) could be used to gain access to any other systems secured using these same biometric credentials. Most worrying is the fact that you can’t change a fingerprint like you would a compromised password if it gets exposed like this.

Speaking to The Guardian, Rotem said the team made numerous attempts to get in touch with Suprema before taking their findings to the press, but have not yet had a response. However, Suprema's head of marketing, Andy Ahn, told The Guardian that the company had made an "in-depth evaluation" of vpnmentor's research and would let customers know if there was a threat.

"If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers' valuable businesses and assets," he said. The vulnerability has since been closed.

Similar articles