UK Metropolitan Police, Governments, and Banks Implicated
In the early weeks of August 2019, millions of fingerprints, facial recognition information, login credentials, and personal information were accidentally made public by Suprema Security. The firm involved is used by banks, governments, and policing bodies from all over the world – making this a particularly troubling data breach.
Fortunately, on this occasion, the breach was found by a group of white hat hackers (also known as ethical hackers) rather than criminals. White hat hackers look for vulnerabilities in big businesses and inform them of these gaps in cyber security so that they’re more cyber secure.
So, What Happened?
Suprema are responsible for a biometrics system called BioStar 2. This system supplies businesses with secure access to facilities, such as office buildings or warehouses. BioStar 2 uses fingerprints and facial recognition to grant access to these workplaces.
Recently, Suprema integrated its biometrics system into AEOS, another system used by nearly 6000 businesses around the world – including the UK Metropolitan Police.
vpnmentor, the group who discovered the breach, found that BioStar 2’s database was barely encrypted, meaning it was stored unsecurely, and therefore vulnerable to exploitation by those with the know-how.
It wasn’t just fingerprints that were publicly available, but photographs, facial recognition information, names, addresses, and passwords too.
Commenting on the breach, Suprema stated:
“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets”
This is troubling because if the hack had been discovered by criminals, rather than ethical hackers, then 27.8m records could very easily have been posted all over the internet, including the dark web.
Biometrics are not what you want being made publicly available either. Passwords can be changed, but fingerprints cannot.
How this data breach could have been more serious
Because the data wasn’t encrypted, people were able to see the data in plain text.
This meant that vpnmentor researchers were able to see who was entering any building running on BioStar 2 in real time and view all of their personal information stored on file. They were also able to alter the data and even add new users – meaning that unauthorised personnel could actually enter the buildings themselves.
Suprema provides data security to over 1.5 million companies worldwide. If every one of these companies had their important data released online then they were all at risk of falling victim to a cyber attack or data breach.
The breached data, which was discovered on 5th August 2019, was secured again on 13th August 2019. This means that, at this point, there is no proof that any information has made it into the hands of criminals, but the investigation continues.