Researchers from vpnMentor discovered the personal and biometric data (i.e. facial recognition and fingerprint information) of more than a million people exposed online on an unsecured database owned by the Suprema biometric security company.
The 23-GB ElasticSearch archive was discovered earlier in August, data contained in the database were collected from customers utilizing BioStar 2.
Data was collected by the UK Metropolitan police, small local businesses and governments globally.
Suprema developed the BioStar 2 software that allows to implement control access using biometric data, including facial recognition and fingerprinting. Currently, the BioStar 2 is used by more than 6,000 organizations, including businesses, governments, financial organizations and the UK Metropolitan Police.
“The data leaked in the breach is of a highly sensitive nature. It includes detailed personal information of employees and unencrypted usernames and passwords, giving hackers access to user accounts and permissions at facilities using BioStar 2.” reads the post published by vpnMentor. “Malicious agents could use this to hack into secure facilities and manipulate their security protocols for criminal activities.”
vpnMentor experts explain that this data leak endangers both the organizations involved, as well as their employees.
The archive included 27.8 million records that also contained sensitive data like employee home address and emails, employee records and security levels and more.
The leak affected several organizations worldwide, some examples of the impacted businesses included:
USA
United Kingdom
Germany
Scammers could perform various fraudulent activities by combining users’ fingerprint records with personal details, usernames, and passwords.
One of the most disconcerting issues of this case is that biometric data was stored in plain text.
At the time it is not possible to determine if the archive has been accessed by third parties, below the timeline shared by vpnMentor.
Experts pointed out that BioStar 2 was very uncooperative, vpnMentor team made numerous attempts to contact the company over email, without success.
Suprema Inc. is currently investigating the incident.
“Facial recognition and fingerprint information cannot be changed. Once they are stolen, it can’t be undone. The unsecured manner in which BioStar 2 stores this information is worrying, considering its importance, and the fact that BioStar 2 is built by a security company.” concludes vpnMentor.
“Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes.
Putting all the data found in the leak together, criminals of all kinds could use this information for varied illegal and dangerous activities.”
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – Suprema data leak, biometric)
[adrotate banner=”5″]
[adrotate banner=”13″]
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
A cyber attack has been disrupting operations at Synlab Italia, a leading provider of medical…
Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler…
A financially motivated group named GhostR claims the theft of a sensitive database from World-Check…
Researcher demonstrated how to exploit vulnerabilities in the Windows DOS-to-NT path conversion process to achieve…
Japan's CERT warns of a vulnerability in the Forminator WordPress plugin that allows unrestricted file uploads…
This website uses cookies.