Millions Of Biometric Records Collected By Companies And Governments Left Exposed On The Web

from the one-stop-shopping-for-identity-thieves dept

One of the many problems with collecting biometric data is you need to have someplace safe to store it. Sure, you could lock it away in something disconnected from the net, but then it’s not much use to the dozens of private companies and government agencies that want access to the data they’ve collected. So, back on the web it goes, where it can be prodded for weaknesses by security researchers and malicious hackers alike.

We can only hope the security researchers got there first.

The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.

The data breach was discovered by vpnMentor researchers, who were performing their usual port scans and checking familiar IP blocks for weaknesses. They found a big one at BioStar 2, the third-party platform that provides access to the biometric databases maintained by over 5,700 companies and government agencies. Only minimal precautions were taken to protect BioStar’s data from outside threats — and even that minimal effort was easily thwarted.

The team discovered that huge parts of BioStar 2’s database are unprotected and mostly unencrypted. The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing huge amounts of data.

Not only were the researchers able to see all of this sensitive data, they were also able to change it. Thanks to the list of unencrypted administrator usernames and passwords, researchers were able to add themselves to accounts and utilize stored privileges to examine BioStar 2’s databases more thoroughly.

vpnMentor contacted BioStar 2 several times but was ignored repeatedly by its personnel. The only entity that was remotely helpful was the company’s French branch, which was apparently instrumental in getting the breach closed. Even so, it still took eight days for BioStar to fix the hole in its system after being notified. vpnMentor didn’t publish its findings until after this, but no one can say for sure how long this breach was accessible prior to its discovery by vpnMentor.

Names and passwords are certainly being changed in the wake of this discovery. But this breach was full of biometric info linked to other personally identifiable information held by BioStar 2’s customers. Fingerprints and other biometric markers can’t be changed. These are inextricably tied to whatever other sensitive information was collected by multiple entities — much of which was stored in unencrypted form.

Suprema and BioStar 2 will probably take security more seriously in the future, but the damage is done. The fact that the marketing team is issuing statements on the breach rather than someone with direct knowledge of the situation isn’t exactly reassuring. Neither is the issued statement, which suggests the company would have rather kept the breach buried, rather than be honest and direct with its users.

Suprema’s head of marketing, Andy Ahn, told the Guardian the company had taken an “in-depth evaluation” of the information provided by vpnmentor and would inform customers if there was a threat.

“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Ahn said.

In other words, customers will only be informed of the breach if they’ve been targeted by criminals or malicious hackers. The rest of their customers aren’t on the “need to know” list. Fortunately for its out-of-the-loop customers, vpnMentor has made the disclosure the company spent eight days not making.

Filed Under: , , ,
Companies: biostar 2

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Millions Of Biometric Records Collected By Companies And Governments Left Exposed On The Web”

Subscribe: RSS Leave a comment
10 Comments
Anonymous Coward says:

Fingerprints and other biometric markers can’t be changed.

Depends. What was actually stored? High resolution TIFFs of biometric marker visual data, or hashes based on the biometric data?

If it’s the second, then BioStar just has to realize that their hashing system has now been compromised, trash all data that uses it, and use a new algorithm to generate new fingerprints. All the old data would, of course, then be useless and the database would need to be re-built from scratch.

Anonymous Coward says:

Every day we read about whichever government wanting to have backdoors built in to various softwares and we’re told that its because it’s extremely unsafe if said government(s( cant read ALL messages from everyone to everyone else. We’re also told not to concern ourselves because ALL our information will be 110% safe! However, it nakes not the slightest difference whether it’s a government or a company, not a single one of either is capable of keeping an icelolly safe from the Sun! All are fucking useless at protection and none give a shit about anything or anyone being kept safe, as long as they get whatever it is they want!

Anonymous Anonymous Coward (profile) says:

My Bio-metrics have been stolen?

I guess I will need plastic surgery, eye, or at least iris replacement (fix my astigmatism while you at it), fingerprint reconfiguration, voice box rework, and couple of dozen bottles of Rogaine. Is there contact information for the insurance companies protecting these rat bastards where I can apply for the appropriate compensation? I assume lost time and the expense of letting everyone know the new me will be included.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...