A BioStar 2 biometric security database that belongs to global biometric and security provider, Suprema, suffered a data breach exposing 28 million records. A company called vpnMentor, who provides virtual private network reviews, found the data leak on August 5, notified Suprema two days later, and Suprema closed the leak on August 13.
What Was Exposed?
The BioStar 2 database is Suprema’s web-based security platform that is used to secure commercial buildings. It was reportedly left open without any protection or encryption in place. The exposure had a total of 23 GB of exposed records which included:
- Facial recognition information and user images
- Records of entry and exit to secure areas
- Fingerprint data
- Employee’s personal information such as home addresses and emails
- Businesses’ employee structure and overall hierarchy
Additionally, the vpnMentor team accessed information from businesses worldwide such as Union Member House and Lits Link in the U.S.A., Adecco Staffing in Belgium, and Japan’s Inspired Lab among others.
Dangers of Exposed and Unprotected Systems
With the rise in concern over the use of apps with facial recognition, a biometric database giant needs top security for its information. The data that was exposed would have given any hacker or cyber criminal the ability to access admin accounts got BioStar 2, which would give them the power to:
- Make changes to security settings network-wide
- Create new user accounts
- Gain Access to secure areas
Phishing scams would also be easier than ever with the highest level individuals targeted through access to a business’ overall structure. The largest problem with the exposed databases is that the accounts had simple passwords such as “1,2,3,4.” While some accounts within the database did have complex passwords, these were stored in plain text without encryption.
Biometric Protection in the Future
While Suprema is lucky that their database was exposed by an ethical group, their plans to integrate with new technology could cause greater risk down the line. The company plans to integrate its BioStar 2 solution with an AEOS access control system, which essentially makes it more convenient to organize biometric identities without switching screens.
Thousands of other organizations worldwide use this technology and once you integrate one system with another, you open yourself up to that system’s security policies. The problem with biometric identifiers is that a fingerprint and face cannot be changed like a password. When a data leak occurs, it is problematic for the company and individuals alike.
The best course of action is to implement complex password policies for accounts in any business setting and make use of encryption for all systems. Our team at Secure Forensics can effectively stop a data breach and find out what information was stolen. Also, our SecureDrives are hardware encrypted storage devices that effectively eliminate data leaks with FIPS 140-2 Level 3 Validation.