A huge cache of unsecured biometric credentials and personal information has been discovered by security researchers, The Guardian reports. The breach, which was discovered by researchers Noam Rotem and Ran Locar alongside vpnMentor, included the fingerprint data of more than 1 million people, facial recognition information, unencrypted usernames and passwords, and other personal information of users of Suprema’s Biostar 2 security platform. The information, which included a total of 27.8 million records totalling 23 gigabytes of data, was found in a publicly accessible database, although it’s unclear whether any malicious actors accessed the data while it was unsecured.
Biostar 2 is a security system used by organizations around the world to secure commercial buildings. vpnMentor notes that the system is used to control access to facilities in the USA, UK, Japan, India, and the UAE. Since the breached information included usernames and passwords, it could allow would-be hackers to create or modify user credentials, allowing them access to any building secured using Biostar 2.
The breach could also have implications for any employees enrolled in the security system. Personal information exposed could be used to commit identity fraud, and the fingerprint data (which was stored in an unencrypted format) could be used to gain access to any other systems secured using these same biometric credentials. Most worrying is the fact that you can’t change a fingerprint like you would a compromised password if it gets exposed like this.
As well as being used to secure buildings around the world, The Guardian notes that Supreme recently announced that its Biostar 2 platform would be integrated into AEOS, a separate security system used across 83 countries by organizations including governments, banks, and the UK’s Metropolitan Police service.
Although the security vulnerability has now been fixed, the security researchers said that Suprema were largely unresponsive and uncooperative after they reported their findings. Rotem and Locar are advising any businesses that use the Biostar 2 platform to change the passwords they use to access the Biostar 2 dashboard, and to also prompt their users to change their passwords.
When contacted for comment, a representative from Suprema issued a statement saying that the company is aware of of the reports about its Biostar 2 platform “and the alleged unauthorized access to data involving vpnMentor.” It added that it takes any reports of this nature very seriously, and is investigating the allegations. “At this stage, [Suprema] cannot make any further comment but will, if appropriate, issue a further press statement in due course, including corrections of any erroneous assertions in the reports to date,” the company said.
Update August 15th, 8:00AM ET: Updated with statement from Suprema.