Global security firm Suprema has been hit with an unprecedented data breach, leaking over a million people's fingerprints, passwords, personal information, and facial recognition data.
Biometric security is used by banks, governments, and major corporations around the world to provide an additional layer of protection for their most sensitive computer systems, offices, and other facilities. One of those access systems is AEOS, which is used by over 5,700 organisations in 83 countries worldwide and implemented in banks, government systems and buildings, and UK police facilities.
Security firm Suprema recently announced that its Biostar 2 web-based security platform was being integrated into AEOS and promises secure remote access to security data. Israeli security researchers Noam Rotem and Ran Locar have now reported that they have found a major security breach in the Biostar 2 system when they discovered its database was accessible online with no security protection.
The database allegedly contained fingerprints for over a million people, facial recognition data, usernames, passwords, and face photographs of users. They also got access to company dashboards, access logs for facilities, data on who had access to what facilities and levels of security access, and personal details of the staff of all companies using the system.
The security researchers also discovered that there was almost no encrpytion used in the database, with passwords for administrator-level accounts being stored in plain text. They were then able to add new users to companies, change people's levels of security access, and track users in realtime as they entered and exited facilities.
Noam Rotem told the BBC that he and his colleagues had significant resistance when contacting Suprema to report the breach before going public with their report. The researcher claimed that on phoning Suprema's offices, they "had to deal with people just hanging up the phone."
One of the major problems with this breach is that it included biometric security data. While most companies hit with data breaches can advise users to change passwords, fingerprints and facial recognition data can't be changed. Some biometric systems can be fooled using reproductions of fingerprints or photographs of faces, making this leak potentially extremely dangerous for the long-term security of the companies affected.
The lack of basic security features on this database and the scale of the breach makes this a very serious breach under GDPR legislation. Had this database fallen into the wrong hands, it would have compromised the security of governments, banks, and major corporations worldwide. The Information Commissioner's Office has been made aware of the breach and is now making enquiries.
