Security researchers have discovered a huge collection of unsecured biometric credentials and personal information including the fingerprint data of over one million people.
The discovery was made by researchers Noam Rotem and Ran Locar alongside vpnMentor and in addition to fingerprint data, they also found facial recognition information, unencrypted usernames and passwords as well as other personal information from users of Suprema's Biostar 2 security platform.
As with other recent data leaks, the information was found in a publicly accessible database which contained 27.8m records spanning 23GB of data. As of now, it is still unclear as to whether any malicious actors were able to access the data while it was publicly exposed.
- US government data leak exposes years of investigations
- EU to create major biometric database
- Unsecured database of 50m found on Azure
Organizations around the world rely on the Biostar 2 security system to secure their commercial buildings. According to vpnMentor, the system is used to control access to facilities in the US, UK, Japan, India and the UAE.
If cybercriminals did manage to access the data, they could use it to either create or modify existing user credentials which would allow them to access any building secured with Biostar 2.
Employees enrolled in the security system could also be at risk as their personal information could be used to commit identity fraud and their fingerprint data could be used to gain access to other systems that are secured using their unencrypted fingerprint data.
According to The Guardian, Suprema also recently announced that its Biostar 2 platform would be integrated into another security system called AEOS which is used in 83 countries by governments, banks and even the UK's Metropolitan Police service.
The security vulnerability has now been fixed but the biometric credentials and personal information exposed in the data leak could still be leveraged by malicious actors. Businesses using the Biostar 2 platform should change the passwords they use to access the system's dashboard immediately to prevent falling victim to any potential attacks.
Tripwire's VP of product management and strategy, Tim Erlin provided further insight on the data leak and the disadvantages of using biometric data for security purposes, saying:
“As an industry, we’ve learned a lot of lessons about how to securely store authentication data over the years. In many cases, we’re still learning and re-learning those lessons. Unfortunately, companies can’t send out a reset email for fingerprints. The benefit and disadvantage of biometric data is that it can’t be changed.
“Using multiple factors for authentication helps mitigate these kinds of breaches. As long as I can’t get access to a system or building with only one factor, then the compromise of my password, key card or fingerprint doesn’t result in compromise of the whole system. Of course, if these factors are stored or alterable from a single system, then there remains a single point of failure.”
- We've also highlighted the best antivirus software of 2019