Biometric Data leak reveals over 27m records

Biometric Data leak reveals over 27m records

Over 27 million data records such as facial recognition profiles, fingerprints, usernames and unencrypted passwords have been found openly available on Suprema Inc's Biostar 2 biometric access control system servers. This security firm powers access control for over 1.5m installations, including governments, police and banks.

Two Israeli researchers working for a VPN company found unsecured backdoor access to this database, which is a major data breach for a security based firm. The full report on the leak, along with sample information, can be found here:

Not only was this information accessible without credentials, but data stored within this database included non encrypted passwords for many users. It is highly likely that these passwords would be re-used elsewhere, so could provide a treasure-trove of personal information for unscrupulous hackers.

With this leak, criminal hackers have complete access to admin accounts on BioStar 2. They can use this to take over a high-level account with complete user permissions and security clearances, and make changes to the security settings in an entire network.

Not only can they change user permissions and lock people out of certain areas, but they can also create new user accounts – complete with facial recognition and fingerprints – to give themselves access to secure areas within a building or facility.

Furthermore, hackers can change the fingerprints of existing accounts to their own and hijack a user account to access restricted areas undetected. Hackers and other criminals could potentially create libraries of fingerprints to be used any time they want to enter somewhere without being detected.

This provides a hacker and their team open access to all restricted areas protected with BioStar 2. They also have access to activity logs, so they can delete or alter the data to hide their activities.

As a result, a hacked building’s entire security infrastructure becomes useless. Anybody with this data will have free movement to go anywhere they choose, undetected.

This flaw has now been patched, but it sounds like Suprema were particularly uncooperative, if the report is to be taken at face value.
Ian Cunningham
First release
Last update

More resources from Ian