Millions of sensitive data have been compromised after a biometrics service company leaked databases that belonged to their clients, including several businesses, law enforcement agencies, government and financial institutions, and enterprises.
The data breach, which was publicly disclosed by vpnMentor cybersecurity researchers Noam Rotem and Ran Locar, involves databases linked to Suprema’s Biostar 2 security platform. The platform involved in the data leak is a web-based, business solution integrated security platform that “provides comprehensive functionality for access control and time & attendance” through a modular framework.
Biostar 2 provides clients with activity log records, remote access, and integration with third-party applications. To do this, the platform uses facial recognition and fingerprinting to identify authorized users.
Recently, the platform integrated the Nedap’s AEOS access control system and is used by more than six thousand organizations across the globe.
The client list of the platform stretches from business and enterprise companies, SMB’s, government institutions, banks, and the most popular client they have, the UK Metropolitan Police.
The researchers, who disclosed the data leak on Wednesday, said that “huge parts of Biostar 2’s database are unprotected and mostly unencrypted.” Rotem and Locar was able to perform an ElasticSearch in order to uncover the leak, but they were also able to access the database through a browser and perform searches of the exposed information.
More than 27.8 million records that comprise more than 23GB of data were leaked through the Biostar 2 database. These data belong to all the clients of the security and biometric company and include one million fingerprint records, images of users and linked facial recognition data, records of entry to secure areas, confidential employee information, user security levels and clearances, personal data of employees like emails and home address as well as their mobile device records.
To make matters worse, the database uncovered by the cybersecurity researchers also contain unencrypted and human-readable access credentials belonging to employees of Biostar clients. The researchers said that this kind of data could be used by malicious attackers to gain physical access to different offices without authorizations, allowing them to enter secure areas and facilities.
vpnMentor researchers said that the those who are affected include coworking companies in the US, India, and Sri Lanka, a medical company in the UK, DIY suppliers, a traditional Chinese medical supplier, festival organizers, and human resource agencies.
The researchers highlighted how huge the impact of data leaks like this to the security of those who are affected. “Hackers can change the fingerprints of existing accounts to their own and hijack a user account to access restricted areas undetected,” the researchers say. “Hackers and other criminals could potentially create libraries of fingerprints to be used any time they want to enter somewhere without being detected.”
Amidst the growing sensitivity of the data they were able to uncover, the researchers from vpnMentor said that reaching out to the involved biometric company wasn’t welcomed. They said that they immediately reached out to Biostar 2, two days after their discovery on August 7, but the company was “generally very uncooperative throughout this process.”
Data breaches involving unencrypted login credentials similar to the Biostar data leak has since been troubling security researchers as the implications of exposing data as sensitive as passwords and access keys are enormous.
“The fact that this biometric data was stored plainly and not in hashed form raises some serious concerns and is unacceptable. Biometrics deserve greater privacy protections than traditional credentials, they’re part of you, and there’s no resetting a fingerprint or face. Once fingerprint and facial recognition data are leaked or stolen, the victim can never undo this breach of privacy. The property that makes biometrics so effective as a means of identification is also its greatest weakness. Organizations and consumers must critically appraise the organizations who they are entrusting their data to. If there are any question marks, then it’s not worth the risk and alternatives should be sought,” said Kelvin Murray, senior threat research analyst for Webroot in an email to Z6Mag.
“The nature of this breach also raises a question about penalties levied when biometric data is exposed – should these organizations be punished more severely if they were deemed to be criminally negligent with this data? As this technology is still fairly new, it will be interesting how regulatory bodies respond to these types of breaches in the future,” he added.