A biometrics system used by banks, UK police and defence companies has suffered a major data breach, revealing the fingerprints of more than one million people as well as unencrypted passwords, facial recognition information and other personal data.
Biostar 2, the biometrics lock system managed by security company Suprema, uses fingerprints and facial recognition technology to give authorised individuals access to buildings. Last month the platform was integrated into another access system -- AEOS -- which is used by 5,700 organizations across 83 countries, including the UK Metropolitan Police.
The security flaw was picked up by Israeli researchers Noam Rotem and Ran Locar, from VPN review service vpnmentor. In a routine network scan conducted last week, the pair found that Biostar 2's database was publicly available, and that by manipulating URL search criteria they were able to access nearly 28 million records and 23GB of data, including fingerprints, facial recognition data, passwords and security clearance information.
Speaking to The Guardian, Rotem said that the flaw meant he could change data and add new users, which would allow him to add his own fingerprint to the system and access whatever facilities an original user was permitted to access. He added that not only was the sheer scale of the breach shocking -- the service is used in 1.5 million locations around the world -- but the nature of the data leak will have future consequences: you can change a password but you can't change your fingerprint.
Rotem said the team made numerous attempts to get in touch with Suprema before taking their findings to the press, but have not yet had a response. However, Suprema's head of marketing, Andy Ahn, told The Guardian that the company had made an "in-depth evaluation" of vpnmentor's research and would let customers know if there was a threat.
"If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers' valuable businesses and assets," he said. The vulnerability has since been closed.