A huge data breach has exposed a tranche of biometric data including facial recognition data and fingerprints of millions of people. Researchers Noam Rotem and Ran Locar found the tranche used by security company Suprema's Biostar 2 platform, which also included usernames and passwords.
It contained a total of 27.8 million records comprising 23 GB of data and was actually publicly accessible. It is still unclear whether the data has already been accessed by others besides the researchers.
Biostar 2 is a security platform that is used by many organizations across the world. It is mostly used to secure commercial buildings, for secure access. When you use an access card to enter a building, Biostar 2 is one of the systems enabling it. The system is used in the US, the UK, Japan, India and the UAE.
The leaked data can also be easily modified by hackers, which means that this data can be used to commit identity fraud. The fingerprints can be used to access highly secure facilities, which is worrying. While a compromised password can be easily changed, fingerprints are permanent.
The system has recently been integrated with AEOS, another security system, that is used in 83 countries and government services including the UK Metropolitan Police Service.
Surprisingly, the database was largely unsecured and easily accessible. There was no encryption used to deter hackers from accessing the database.
"We were able to find plain-text passwords of administrator accounts. The access allows, first of all, seeing millions of users are using this system to access different locations and see in real-time which user enters which facility or which room in each facility, even. We [were] able to change data and add new users," Rotem told The Guardian.
Suprema was repeatedly inaccessible when the researchers tried to contact the company before going public with their findings. However, once the researchers went public with their findings, Suprema's head of marketing, Andy Ahn, said to media publications that the company was conducting an "in-depth" investigation of the breach, and will advise its customers in case there was a threat.