A large breach of personal data, including one million fingerprints, facial recognition info, passwords and other sensitive information, was found to be publicly accessible by a company that provides centralized data access for security organizations, according to a report by The Guardian.
The company, called Suprema, created the biometrics-based Biostar 2 lock system. It offers centralized control that enables people to access secure buildings using facial recognition and fingerprints for identification.
Suprema announced in July that it was integrating into a different control system called AEOS, which is used in 83 countries by around 5,700 organizations including police stations, banks and governments.
Two researchers, Noam Rotem and Ran Locar, work with a venture called vpnMentor, which assesses virtual private network (VPN) services. They have been working to find vulnerabilities in corporate systems that could lead to data breaches. They found one last week in Biostar 2; they were able to locate the database by changing URL data. Once they got in, they gained access to almost 28 million records and 23 gigabytes of data that included photos of faces, fingerprints, unencrypted passwords and personal details. Much of the information was unencrypted.
“We were able to find plain-text passwords of administrator accounts,” Rotem said. “…Millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even. We [were] able to change data and add new users.”
The researchers noted that while passwords can be changed during a data breach, fingerprints cannot. “Instead of saving a hash of the fingerprint (that can’t be reverse-engineered), they are saving people’s actual fingerprints that can be copied for malicious purposes,” they said.
The researchers said they tried to get in touch with Suprema, but were not successful. Andy Ahn, Suprema’s head of marketing, told The Guardian it had fully evaluated the issue and would let people know if there was a problem. “If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” he said, adding that the problem had been fixed.