#privacy: Defence, police and banks caught up in biometrics data breach

data privacy

The personal and private information of over 1 million citizens has been compromised following a biometrics system data breach. 

The data was found available to public access on a database used by institutions including the Metropolitan police, defence firms and financial organisations.

Fingerprints, facial recognition ID, personal data and unencrypted login credentials are among the information compromised on the database maintained by security company, Suprema, reports reveal.

The firm is responsible for the online Biostar 2 biometrics locking mechanism which provides centralised control for entry to high-security buildings. The technology employs facial recognition and fingerprint data to help identify individuals as they attempt to enter official secure premises.

In July, Suprema divulged how its tech was being used in AEOS, a system used by 5,700 bodies in 83 countries by governments and banks.

Last week, Israeli cyber-security researchers, Noam Rotem and Ran Locar discovered Biostar 2’s database to be openly accessible to the public, holding data that was largely unprotected. The duo could easily navigate the data mine via search details entered into Elasticsearch.

Over 27.8m records and 23 GB of data were at the researchers’ fingertips – a huge hoard of information that comprised dashboards, users’ face photos, unprotected usernames, passwords, facility logs, staff personal details and administration panels.

Speaking to the Guardian, Rotem said:

“We were able to find plain-text passwords of administrator accounts. The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even. We [were] able to change data and add new users.”

As such, the expert would have been able to alter an existing users’ private account, associate it with a different fingerprint and gain access to any number of highly-restricted buildings and offices.

In a paper submitted to the Guardian, the pair describe how they were able to search through data from co-working organisations in the States, Indonesia, as well as businesses in India, the UK and Finland.

Rotem and Locar say the size of the data breach was particularly concerning because the database service operates in 1.5 million locations worldwide. The breach of fingerprint data is a major worry because fingerprints cannot be altered or reset, unlike passwords.

“Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes,” the researchers stated.

Speaking to the Guardian, Suprema’s marketing chief Andy Ahn said that the firm had explored the issue to depth and emphasised that customers would be told if any danger was posed.

“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Ahn said.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.