Millions Of Biometric Records Collected By Companies And Governments Left Exposed On The Web

from the one-stop-shopping-for-identity-thieves dept

One of the many problems with collecting biometric data is you need to have someplace safe to store it. Sure, you could lock it away in something disconnected from the net, but then it's not much use to the dozens of private companies and government agencies that want access to the data they've collected. So, back on the web it goes, where it can be prodded for weaknesses by security researchers and malicious hackers alike.

We can only hope the security researchers got there first.

The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.

The data breach was discovered by vpnMentor researchers, who were performing their usual port scans and checking familiar IP blocks for weaknesses. They found a big one at BioStar 2, the third-party platform that provides access to the biometric databases maintained by over 5,700 companies and government agencies. Only minimal precautions were taken to protect BioStar's data from outside threats -- and even that minimal effort was easily thwarted.

The team discovered that huge parts of BioStar 2’s database are unprotected and mostly unencrypted. The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing huge amounts of data.

Not only were the researchers able to see all of this sensitive data, they were also able to change it. Thanks to the list of unencrypted administrator usernames and passwords, researchers were able to add themselves to accounts and utilize stored privileges to examine BioStar 2's databases more thoroughly.

vpnMentor contacted BioStar 2 several times but was ignored repeatedly by its personnel. The only entity that was remotely helpful was the company's French branch, which was apparently instrumental in getting the breach closed. Even so, it still took eight days for BioStar to fix the hole in its system after being notified. vpnMentor didn't publish its findings until after this, but no one can say for sure how long this breach was accessible prior to its discovery by vpnMentor.

Names and passwords are certainly being changed in the wake of this discovery. But this breach was full of biometric info linked to other personally identifiable information held by BioStar 2's customers. Fingerprints and other biometric markers can't be changed. These are inextricably tied to whatever other sensitive information was collected by multiple entities -- much of which was stored in unencrypted form.

Suprema and BioStar 2 will probably take security more seriously in the future, but the damage is done. The fact that the marketing team is issuing statements on the breach rather than someone with direct knowledge of the situation isn't exactly reassuring. Neither is the issued statement, which suggests the company would have rather kept the breach buried, rather than be honest and direct with its users.

Suprema’s head of marketing, Andy Ahn, told the Guardian the company had taken an “in-depth evaluation” of the information provided by vpnmentor and would inform customers if there was a threat.

“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Ahn said.

In other words, customers will only be informed of the breach if they've been targeted by criminals or malicious hackers. The rest of their customers aren't on the "need to know" list. Fortunately for its out-of-the-loop customers, vpnMentor has made the disclosure the company spent eight days not making.

Filed Under: biometric records, fingerprints, privacy, security
Companies: biostar 2


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 26 Aug 2019 @ 12:28pm

    Ah, the big data world where companies collect all sorts of personal data and make it available to very crook and peeping tom on the Internet.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Aug 2019 @ 12:37pm

    Fingerprints and other biometric markers can't be changed.

    Depends. What was actually stored? High resolution TIFFs of biometric marker visual data, or hashes based on the biometric data?

    If it's the second, then BioStar just has to realize that their hashing system has now been compromised, trash all data that uses it, and use a new algorithm to generate new fingerprints. All the old data would, of course, then be useless and the database would need to be re-built from scratch.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Aug 2019 @ 12:37pm

    Every day we read about whichever government wanting to have backdoors built in to various softwares and we're told that its because it's extremely unsafe if said government(s( cant read ALL messages from everyone to everyone else. We're also told not to concern ourselves because ALL our information will be 110% safe! However, it nakes not the slightest difference whether it's a government or a company, not a single one of either is capable of keeping an icelolly safe from the Sun! All are fucking useless at protection and none give a shit about anything or anyone being kept safe, as long as they get whatever it is they want!

    reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 26 Aug 2019 @ 12:40pm

    My Bio-metrics have been stolen?

    I guess I will need plastic surgery, eye, or at least iris replacement (fix my astigmatism while you at it), fingerprint reconfiguration, voice box rework, and couple of dozen bottles of Rogaine. Is there contact information for the insurance companies protecting these rat bastards where I can apply for the appropriate compensation? I assume lost time and the expense of letting everyone know the new me will be included.

    reply to this | link to this | view in chronology ]

    • icon
      Gary (profile), 26 Aug 2019 @ 2:41pm

      Re: My Bio-metrics have been stolen?

      Nope, just a year of free credit monitoring and your share of a $150k payout split 12 million ways. But that credit monitoring is worth $65 retail!!

      reply to this | link to this | view in chronology ]

      • icon
        Anonymous Anonymous Coward (profile), 26 Aug 2019 @ 2:44pm

        Re: Re: My Bio-metrics have been stolen?

        Really? WOW! I am sooo relieved.

        reply to this | link to this | view in chronology ]

      • icon
        JoeCool (profile), 26 Aug 2019 @ 4:11pm

        Re: Re: My Bio-metrics have been stolen?

        It's free credit monitoring OR your share of $150K split 12 million ways, not AND.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 27 Aug 2019 @ 7:37am

          Re: Re: Re: My Bio-metrics have been stolen?

          It's free credit monitoring OR your share of $150K split 12 million ways

          At least if a court ever needs to put an "official" dollar value on credit monitoring, we have a good way to get a number.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 28 Aug 2019 @ 6:30am

    And this is the country that wants a database of people who watch porn.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.