A Major Breach In Biometrics Security Database

Over a million fingerprints and other sensitive data have been shown to be exposed online by a biometric security firm vpnMentor who disclosed that they had found the highly sensitive data on a security tool. 

Researchers working with vpnMentor say they accessed data from a security tool called BioStar 2 was first discovered on 5th August and the breach has now been closed. 

The leaked data includes detailed personal information of employees and unencrypted usernames and passwords, giving hackers access to user accounts and permissions at facilities using BioStar 2. BioStar 2 is used by thousands of companies worldwide, including the UK's Metropolitan Police, to control access to specific parts of secure facilities. Malicious agents could use this to hack into secure facilities and manipulate their security protocols for criminal activities. 

This is a huge leak that endangers both the businesses and organisations involved, as well as their employees. 

Fingerprints, facial recognition and other personal information from Biostar 2 discovered on publicly accessible database. As well as fingerprint records, the researchers say they found photographs of people, facial recognition data, names, addresses, passwords, employment history and records of when they had accessed secure areas.

The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.

Suprema is ihe security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. BioStar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings. Last month, Suprema announced its BioStar 2 platform was integrated into another access control system, AEOS. AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police.

The Israeli security researchers Noam Rotem and Ran Locar working with vpnMentor,a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks and then use these blocks to find holes in companies’ systems that could potentially lead to data breaches.

The researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

The researchers then found they had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.

They were able to access data from co-working organisations in the US and Indonesia, a gym chain in India and Sri Lanka, a medicine supplier in the United Kingdom, and a car parking space developer in Finland, among others. The sheer scale of the breach is alarming because the service is in 1.5m locations across the world and because, unlike passwords being leaked, when fingerprints are leaked, you can’t change your fingerprint.

Supply chain vulnerabilities, where a company uses a third-party company for a service that doesn’t have appropriate security, was common but often some of the vulnerabilities discovered were with Fortune 500 companies. 

Rotem said he contacts around three or four companies per week with similar issues. “Mistakes happen, and the real test is how you handle them,” Rotem said. “If you have a security team that can respond quickly and efficiently it’s good enough. If you have a security team that will send a legal team to threaten you, well, it’s less efficient.....this happens quite a lot. It’s unpleasant for someone to point out you have a vulnerability or weakness. Some people take it as an opportunity to fix it and some people are offended by it for some reason.”

Guardian:      BBC:       vpMentor:

You Might Also Read:

GDPR Requires Better Methods Of Authentication:

Your Next Bank Card is a Finger-Scanner:


 

« US Cyber Attack Disabled Iran’s Ability To Target Shipping
Cyber Weapons Could Create Devastation Comparable To A Nuclear Strike »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cristie Data

Cristie Data

Cristie have been a trusted, innovative and leading edge data storage, backup and virtualisation solutions provider across all sectors of industry for over 40 years.

Copenhagen FinTech

Copenhagen FinTech

Copenhagen FinTech is a centre for R&D and innovation in the Danish finance IT sector. Focus areas include cyber security and payments platforms.

Cynerio

Cynerio

Cynerio develops cybersecurity protections for medical devices, comparing network behavior with a database of medical workflows.

RangeForce

RangeForce

RangeForce delivers the only integrated cybersecurity simulation and skills analysis platform that combines a virtual cyber range with hand-on training.

Crypto4A Technologies

Crypto4A Technologies

Crypto4A quantum-ready cybersecurity solutions significantly improve protection for Cloud, loT, Blockchain, V2X, government and military application deployments.

National Cybersecurity Society (NCSS)

National Cybersecurity Society (NCSS)

The National Cybersecurity Society is a non-profit organization focused on providing cybersecurity education, awareness and advocacy to small businesses.

CyberSecurityTrainingCourses.com

CyberSecurityTrainingCourses.com

Cyber Security Training Courses is a portal to help candidates find the best courses to progress their career within the IT security industry.

Inavate Consulting

Inavate Consulting

Inavate Consulting are experts in defining and implementing information assurance solutions and governance frameworks. Our ISO27001 consultants are the most experienced in the industry.

Ten Eleven Ventures

Ten Eleven Ventures

Ten Eleven is a specialized venture capital firm exclusively dedicated to helping cybersecurity companies thrive.

Securden

Securden

Securden provide an all-in-one Platform for Next-Gen Privileged Access Governance, helping you to prevent identity thefts, malware propagation, cyber attacks, and insider exploitation.

ScorpionShield

ScorpionShield

ScorpionShield CyberSecurity is an EC-Council Accredited Training Center, and an On-Demand Service for Cybersecurity professionals.

Jamf

Jamf

Jamf is the only Apple Enterprise Management solution of scale that remotely connects, manages and protects Apple users, devices and services.

Cyber-Security Council Germany

Cyber-Security Council Germany

The German Cyber Security Council's objective is to consult businesses, government agencies and political decision-makers and to support them against cybercrime.

TrustCloud

TrustCloud

TrustCloud is a global company specializing in the orchestration and custody of secure digital transactions including identification, signature, payments, and electronic custody.

Cyberleaf

Cyberleaf

Cyberleaf is simplified managed cybersecurity for MSPs, enabling top tier cyber protection for small and medium enterprise.

FearsOff

FearsOff

FearsOff is a global information security company serving clients worldwide. White hat operators with a black hat mindset to emulate real world attacks and everchanging threat vectors.