Millions Of Biometric Records Collected By Companies And Governments Left Exposed On The Web
from the one-stop-shopping-for-identity-thieves dept
One of the many problems with collecting biometric data is you need to have someplace safe to store it. Sure, you could lock it away in something disconnected from the net, but then it’s not much use to the dozens of private companies and government agencies that want access to the data they’ve collected. So, back on the web it goes, where it can be prodded for weaknesses by security researchers and malicious hackers alike.
The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.
The data breach was discovered by vpnMentor researchers, who were performing their usual port scans and checking familiar IP blocks for weaknesses. They found a big one at BioStar 2, the third-party platform that provides access to the biometric databases maintained by over 5,700 companies and government agencies. Only minimal precautions were taken to protect BioStar’s data from outside threats — and even that minimal effort was easily thwarted.
The team discovered that huge parts of BioStar 2’s database are unprotected and mostly unencrypted. The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing huge amounts of data.
Not only were the researchers able to see all of this sensitive data, they were also able to change it. Thanks to the list of unencrypted administrator usernames and passwords, researchers were able to add themselves to accounts and utilize stored privileges to examine BioStar 2’s databases more thoroughly.
vpnMentor contacted BioStar 2 several times but was ignored repeatedly by its personnel. The only entity that was remotely helpful was the company’s French branch, which was apparently instrumental in getting the breach closed. Even so, it still took eight days for BioStar to fix the hole in its system after being notified. vpnMentor didn’t publish its findings until after this, but no one can say for sure how long this breach was accessible prior to its discovery by vpnMentor.
Names and passwords are certainly being changed in the wake of this discovery. But this breach was full of biometric info linked to other personally identifiable information held by BioStar 2’s customers. Fingerprints and other biometric markers can’t be changed. These are inextricably tied to whatever other sensitive information was collected by multiple entities — much of which was stored in unencrypted form.
Suprema and BioStar 2 will probably take security more seriously in the future, but the damage is done. The fact that the marketing team is issuing statements on the breach rather than someone with direct knowledge of the situation isn’t exactly reassuring. Neither is the issued statement, which suggests the company would have rather kept the breach buried, rather than be honest and direct with its users.
Suprema’s head of marketing, Andy Ahn, told the Guardian the company had taken an “in-depth evaluation” of the information provided by vpnmentor and would inform customers if there was a threat.
“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Ahn said.
In other words, customers will only be informed of the breach if they’ve been targeted by criminals or malicious hackers. The rest of their customers aren’t on the “need to know” list. Fortunately for its out-of-the-loop customers, vpnMentor has made the disclosure the company spent eight days not making.