- A database containing unhashed passwords and fingerprints has been left exposed online.
- The database contained 23GB of sensitive data belonging to one million individuals across a number of countries.
- The company responsible is Suprema, one of the most prominent biometrics security product vendors in the world.
Suprema, a UK biometrics security company that serves clients in healthcare, data center, construction, manufacturing, infrastructure, and the commercial fields, has blundered by leaving a rich database unprotected and accessible by anyone. Discovered by researchers of the VPNMentor team on August 5, 2019, the ElasticSearch database contained information that relates to their “BioStar 2” facial recognition and fingerprinting product that is meant to help clients safely access their facilities. The system is used by over six thousand companies, including the UK Metropolitan Police, banks, government agencies, and multinational organizations.
In numbers, this humongous data breach is 23 gigabytes in size, counts 27.8 million records, and affects approximately one million individuals. The type of data that was to be found in the database includes fingerprints, images of users (for facial recognition), admin and dashboard permission details, records of entry and exit to secure areas, employee records, employee security levels and clearances, employee names, emails, home addresses, business hierarchies, and mobile device and OS information. To make matters worse, all user passwords in the database, as well as the fingerprints, were stored in plain text and image forms, so not even the basic practice of hashing the passwords was followed by Suprema.
While the database got finally secured on August 13, 2019, it is unknown how many could have downloaded this galore of biometrics that was left exposed to the whole world. This is a new type of data that has much greater value to crooks than the ‘typical’ credentials have, as biometrics cannot be reset or changed. That said, the one million people that got compromised will be vulnerable to certain types of attacks forever, and this only shows how irresponsible Suprema was with their handling of such sensitive data. So far, the biometrics security vendor has not had the decency to publish an official announcement, offering something to the exposed, from advice to actual support on how to protect themselves in cases of extortion, impersonation, etc.
If the company you’re working for is using the BioStar 2 system, reset your dashboard password immediately and contact Suprema to ask for more information that concerns you specifically. Additionally, notify your employer, all of your staff and your colleagues to do the same. Many of the entries that the researchers discovered were using very weak passwords, so make sure that you generate a powerful password this time.
What would be the proper form of indemnity that Suprema should offer to the people who had their biometrics compromised forever? Let us know of your opinion in the comments down below, or on our socials, on Facebook and Twitter.