Biostar 2 Suffers Data Leak – 27.8 Million Records Exposed

There’s been another biometrics data leak. This time, it is traced back to Biostar 2. 1 million citizens have been exposed.

There’s been another data leak. This time, it’s centred around the biometrics lock system Biostar 2. The system is used by banks, defence firms, and the UK police. In all, 1 million citizens have had their biometric information exposed. From The Guardian:

The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.

Suprema is the security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.

Last month, Suprema announced its Biostar 2 platform was integrated into another access control system – AEOS. AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police.

The Israeli security researchers Noam Rotem and Ran Locar working with vpnmentor, a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks, and then use these blocks to find holes in companies’ systems that could potentially lead to data breaches.

In a search last week, the researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.

Suprema, the South Korean-based company behind Biostar 2, responded to the revelations by downplaying the size of the leak. From the BBC:

Suprema said the access point had now been closed and an investigation had found the scope of the leak to be “significantly less” than reported.

The cyber-security researchers involved, however, are standing by their research.

One of them, Noam Rotem, told BBC News the evidence he had obtained did in fact indicate large amounts of biometric data had been made available online.

He and his colleague Ran Locar had worked with cyber-security company VPNMentor to disclose the breach.

While the company was downplaying the leak, the scale of the leak appears to be growing. According to Bloomberg, Belgium appears to have been affected by this. Adecco says that they are in contact with privacy regulators to determine the severity of the leak. From the report:

The Adecco Group told Belgium’s privacy regulator that the breach of a security platform run by South Korea’s Suprema ID Inc. compromised the biometric data of some 2,000 employees of its Belgian unit.

The breach of Suprema’s BioStar 2 system affected data including fingerprints and facial recognition details of Adecco employees, the country’s data protection authority said in a statement Wednesday.

The regulator said it’s in touch with Adecco to check the “seriousness of this breach.” A spokeswoman for Suprema declined to comment.

An Adecco spokeswoman confirmed that staff data was compromised and that it is “investigating this supplier data breach.”

Meanwhile, in Dubai, Global Village is trying to reassure people that they aren’t affected by the leak. From the National:

A major Dubai venue operator has said customers’ data has not been compromised following claims that 15,000 fingerprints it held had been easily accessed by hackers.

Global Village, which runs the popular Dubai entertainment complex open between October and April, said it “is currently not facing any security vulnerability”.

It made the statement after it was named as one of several companies affected by a leak of sensitive data held by an external security firm.

A major problem with compromised biometric information is that such data cannot be changed. If a forum account is compromised, users can simply change their password. If biometric information has been changed, you can’t exactly change a fingerprint. A face could be quite challenging as well. So, it’s hard to simply ignore the seriousness of having such data compromised.

One thing is for sure, this is looking like quite a mess at this point. It’s going to take a lot to resolve this one.

Drew Wilson on Twitter: @icecube85 and Facebook.

2 Trackbacks and Pingbacks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: