(August 15, 2019) – Security researchers have found database containing unprotected biometrics including fingerprints and facial recognition images as well as passwords and other personal data leaked on the internet. On August 5, a total of over 27.8 million records, roughly 23 gigabytes of data was accessed by the researchers. The database belongs to the web-based BioStar 2 biometrics lock system which was developed by the South Korean company Suprema. Large parts of the database were unprotected and mostly unencrypted. Suprema informs that the breach was closed on August 13.
The Israeli privacy researchers Noam Rotem and Ran Locar working with vpnMentor, a service that reviews virtual private network services, have been running a side project to scan ports looking for familiar IP blocks. They used these blocks to find holes in companies’ systems that could potentially lead to data breaches. The data base contained dozens of individual’s personal details which were collected by the platform for biometric authentication. The data contain users’ names, fingerprints, images, but also employment records, email addresses, and home addresses.
‘Our team was able to access over 1 million fingerprint records, as well as facial recognition information. Combined with the personal details, usernames, and passwords, the potential for criminal activity and fraud is massive.’, vpnMentor writes in their blog. The leaked data is of a highly sensitive nature, enabling hackers to access user accounts and permissions at facilities using BioStar 2.
As a web-based biometric security smart lock platform, BioStar 2 offers identity and access control products. Possibly tens of millions of users could be affected by the leak since BioStar 2 is used by companies all over the world and they partner with various other access control companies. The data breach leaves business clients of BioStar 2 with huge security concerns in addition to leaving their employees and consumers prone to fraud.
The reactions to the breach are ambivalent as IT World Canada reports. Ann Cavoukian, Canadian privacy expert and consultant, worries if the sensitive information fell into the wrong hands before the database was closed. However, vice-president and principal security analyst for Forrester Research, Andras Cser looks at the situation more calmly. He explains that sophisticated image recognition cameras or sophisticated fingerprint readers are able to detect fake biometrics. Nevertheless, the breached data can be used for phishing scams among others.
So far, no Canadian company is listed among the range of businesses affected by the leak.
