Security system Suprema Biostar 2 encountered a data breach that exposed 27.8 million biometric data. The date of discovery dates back to August 5, 2019, with the data being made private on August 13, 2019. The breach happened only a month after the firm announced its platform’s integration with the AEOS access control system.
The company specializes in using fingerprints and facial recognition technology to gain information about the individuals who access the buildings. Warehouses and office buildings reportedly use the said technology says The Guardian.
According to the report released by The Guardian, VPNMentor discovered the breach. Noam Rotem and Ran Locar, working as Israeli security researchers for VPNMentor, found the Biostar 2 database unprotected. Following this, the researchers contacted Suprema about the incident.
However, Suprema offices failed to respond and comment on the issue. Rotem told BBC that he dealt “with people just hanging up the phone.”
The sensitive information compromised in the incident includes facial recognition data and consumer photos. In addition, the researchers also obtained access to unencrypted usernames and passwords, personal employee information, and fingerprint records. Researches also found addresses, names, employment history, and records upon inspection.
Moreover, administrative panels, dashboards, facility access logs, security levels and clearance also remain compromised.
In total, the number of records amounted to 27.8 million. The information accessed has an estimated worth of 23 gigabytes in data.
Affected organizations spanned numerous parts of the globe, including the United Kingdom, the United States of America, and India. Also included in the list are Japan and the United Arab Emirates, reports The Verge.
In line with this, BBC reveals that Tile Mountain in the UK became directly affected by the breach. Colin Hampson, IT director, shares the lack of contact from the company is disappointing. Hampson said, “it is concerning that no contact was made to inform us that data may have been compromised.”
The possible implications of the leak primarily include identity fraud and theft as well as unauthorized access. Both Rotem and Locar shared that leaked biometric data such as fingerprints cannot be changed.
While The Verge notes the vulnerability has been fixed, the company in question has yet to issue a formal statement. Following this, the researchers advised businesses who work with Biostar 2 to change passwords immediately, including dashboard access.
In an interview with The Guardian, Andy Ahn, Suprema’s head of marketing, said it conducted an “in-depth evaluation.” However, the business would only notify customers should a threat arise.