More than one million fingerprints and a host of usernames and passwords have been exposed on an unsecured database hosted by a security platform that lists the Metropolitan Police among its clients.
The biometric and password data, which belong to the BioStar 2 identity and access control platform, is used by companies around the world, some of the data is priceless to criminals.
Privacy researchers, as well as the staff review site vpnMentor, said that the leak could affect tens of millions of users since BioStar 2 partners with numerous other access control companies.
The BioStar database held information for US companies including Union Member House, a co-working space and social club with 7,000 users; Lits Link, a software development consultancy and Phoenix Medical, a medical products manufacturer. Those in the U.K. included Associated Polymer Resources, a plastics recycling specialist; Tile Mountain, a home decor and DIY supplier; and Farla Medical, a medical supply store.
It’s still unclear if the discovered database is the main BioStar 2 repository or one that was copied by a negligent staffer.
Suprema Inc., the South Korean company that developed BioStar 2, said that public access to the database was restricted on Tuesday. On its website, Suprema said that the company is “the premium brand in security” which uses “independent organizations and process for quality assurance.”
Some of its products are used for physical access control to workrooms, data centres, hospitals, police stations, buildings and construction sites.
In a blog, vpnMentor said the unsecured database was discovered on Aug. 5 while scanning the internet for certain IP blocks. The project, which has been on-going, led vpnMentor and the researchers to make other announcements about loosely-protected databases. The team said huge parts of BioStar 2’s database were unprotected and mostly unencrypted.
“The company uses an Elasticsearch database, which is ordinarily not designed for URL use.
However, we were able to access it via browser and manipulate the URL search criteria into exposing huge amounts of data,” the blog post read.
The database had detailed personal information of employees and unencrypted usernames and passwords, as well as over 1 million fingerprint records and facial recognition information. “Combined with the personal details, usernames, and passwords, the potential for criminal activity and fraud is massive.”
Unlike a password, which can be changed, the threats of stolen biometric information are permanent. However, the damage can be mitigated if biometric identifiers are combined with other access control features like two-factor authentication. The hardware’s resilience against spoofing is also important.
The blog said the researchers were able to access over 27.8 million records, a total of 23 gigabytes of data, including:
- Access to client admin panels, dashboards, back end controls, and permissions
fingerprint data - facial recognition information and images of users
- unencrypted usernames, passwords, and user IDs
- records of entry and exit to secure areas
- employee records including start dates
- employee security levels and clearances
- personal details, including employee home address and emails
- businesses’ employee structures and hierarchies
- mobile device and OS information of customers
The blog observes that among the unencrypted passwords, plenty of accounts used “Password” and “abcd1234” and other easy-to-guess indicators.
View the VPN Mentor report here