A major data breach reportedly found in biometrics security system “BioStar 2,” built by security company Suprema, has now made private data — such as fingerprints and facial recognition scans — public, affecting at least a million people. According to researchers, once biometric data is stolen, it cannot be retrieved, potentially affecting users “for the rest of their lives.”
Private data, such as fingerprints and facial recognition information, is now accessible on public databases, according to Internet privacy researchers Noam Rotem and Ran Locar, who published a report with vpnMentor on Wednesday, saying they have discovered a major data leak from Suprema’s web-based biometric security smart lock platform, BioStar 2.
“This is a huge leak that endangers both the businesses and organizations involved, as well as their employees,” reads the report. “Our team was able to access over 1 million fingerprint records, as well as facial recognition information. Combined with the personal details, usernames, and passwords, the potential for criminal activity and fraud is massive.”
“Once stolen, fingerprint and facial recognition information cannot be retrieved,” added the report. “An individual will potentially be affected for the rest of their lives.”
The range of businesses affected by the data leak varied in size, industry, users, and country, which include Suprema’s customers in the United States. Union Member House, Lits Link, and Phoenix Medical were among those U.S. companies listed in the report of whose information the researchers were able to access and view worldwide.
“The data leaked in the breach is of a highly sensitive nature,” reads the report. “It includes detailed personal information of employees and unencrypted usernames and passwords, giving hackers access to user accounts and permissions at facilities using BioStar 2.”
“Malicious agents could use this to hack into secure facilities and manipulate their security protocols for criminal activities,” the report added.
It was also mentioned that Suprema — one of the world’s top 50 security manufacturers, which built BioStar 2 — had recently partnered with Nedap to integrate the security platform into their AEOS access control system, which is used by over 5,700 organizations in 83 countries, including large multinational businesses, banks, governments, and even the U.K. police.
The researchers noted that the scope of this particular leak is especially concerning, because unlike passwords, biological data such as entire fingerprints and facial recognition information cannot be changed.
“Instead of saving a hash of the fingerprint (that cannot be reverse-engineered) they are saving the actual fingerprint that can then be used to create a copy for malicious purposes,” say the researchers. “The unsecured manner in which BioStar 2 stores this information is worrying, considering its importance, and the fact that BioStar 2 is built by a security company.”
“Facial recognition and fingerprint information cannot be changed. Once they are stolen, it can’t be undone,” the researchers added. “Putting all the data found in the leak together, criminals of all kinds could use this information for varied illegal and dangerous activities.”
The report added that the data leak could have been “easily avoided,” had Suprema “taken some basic security precautions.”
Suprema’s head of marketing Andy Ahn told the Guardian that the company has taken an “in-depth evaluation” of the information provided by the vpnMentor researchers, and will alert customers if they find that there is a threat.
“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” said Ahn.