Pierluigi Paganini August 15, 2019

Researchers discovered an unsecured database online owned by Suprema that contained the fingerprints and facial recognition information of one million people.

Researchers from vpnMentor discovered the personal and biometric data (i.e. facial recognition and fingerprint information) of more than a million people exposed online on an unsecured database owned by the Suprema biometric security company.

The 23-GB ElasticSearch archive was discovered earlier in August, data contained in the database were collected from customers utilizing BioStar 2.

Data was collected by the UK Metropolitan police, small local businesses and governments globally.

Suprema developed the BioStar 2 software that allows to implement control access using biometric data, including facial recognition and fingerprinting. Currently, the BioStar 2 is used by more than 6,000 organizations, including businesses, governments, financial organizations and the UK Metropolitan Police.

“The data leaked in the breach is of a highly sensitive nature. It includes detailed personal information of employees and unencrypted usernames and passwords, giving hackers access to user accounts and permissions at facilities using BioStar 2.” reads the post published by vpnMentor. “Malicious agents could use this to hack into secure facilities and manipulate their security protocols for criminal activities.”

vpnMentor experts explain that this data leak endangers both the organizations involved, as well as their employees.

The archive included 27.8 million records that also contained sensitive data like employee home address and emails, employee records and security levels and more.

The leak affected several organizations worldwide, some examples of the impacted businesses included:

USA

• Union Member House – Coworking space and social club with 7,000 users.
• Lits Link – Software development consultancy.
• Phoenix Medical – Medical products manufacturer.

United Kingdom

• Associated Polymer Resources – Plastics recycling specialists.
• Tile Mountain – Home decor and DIY supplier.  
• Farla Medical – Medical supply store.

Germany

• Identbase – Data belonging to this supplier of commercial ID and access card printing technology was also found in the exposed database.

Scammers could perform various fraudulent activities by combining users’ fingerprint records with personal details, usernames, and passwords.

One of the most disconcerting issues of this case is that biometric data was stored in plain text.

At the time it is not possible to determine if the archive has been accessed by third parties, below the timeline shared by vpnMentor.

• Date discovered: 5th August 2019
• Date vendors contacted: 7th August 2019
• Date of Action: 13th August, the breach was closed

Experts pointed out that BioStar 2 was very uncooperative, vpnMentor team made numerous attempts to contact the company over email, without success.

Suprema Inc. is currently investigating the incident.

“Facial recognition and fingerprint information cannot be changed. Once they are stolen, it can’t be undone. The unsecured manner in which BioStar 2 stores this information is worrying, considering its importance, and the fact that BioStar 2 is built by a security company.” concludes vpnMentor.

“Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes.

Putting all the data found in the leak together, criminals of all kinds could use this information for varied illegal and dangerous activities.”

Pierluigi Paganini

(SecurityAffairs – Suprema data leak, biometric)

[adrotate banner=”5″]

[adrotate banner=”13″]