Biostar 2 Massive Data Breach: Exposes 23GB Data, 1M Fingerprints

BioStar 2 Leak Exposes 23GB Data, 1M Fingerprints

Massive Data Breach in the database of biometric security smart lock platform Suprema Biostar 2  Exposes 23GB Data and more than 1M Fingerprints as well as facial recognition information and other sensitive data.

As reported by the VPN Mentor today, biometrics system used by banks, UK police and defense companies have suffered a major data breach, revealing the fingerprints of more than one million people as well as unencrypted passwords, facial recognition information, and other personal data.

Internet privacy researchers Noam Rotem and Ran Locar, both first detected the breach on August 5 while scanning ports as part of a Web-mapping project. Their team hunts for familiar IP blocks and uses them to find holes in a company's Web system. When these holes are found, the researchers then look for vulnerabilities that could lead to a data breach. During this process, the team found large lumps of BioStar 2's database unsecured and unencrypted.

The breached database included "almost every kind of sensitive data available," It includes more than 1 million fingerprints; facial recognition data and user images; access to client admin panels, dashboards, back-end controls, and permissions; unencrypted usernames and passwords, records of entry and exit to secure areas; and employee records. according to a vpnMonitor blog post.

One of the more shocking and interesting aspects of this data breach was how unsecured the account passwords we accessed were," they point out. "Plenty of accounts had extremely simple passwords, like 'Password' and 'abdc1234.'" While some users had more complicated passwords, the researchers were able to view passwords across the database because they were stored as plaintext files.

Although the security vulnerability has now been fixed, The breach is warning that organizations must “be alert about how they outsource their customer and employee data and how that data is stored and processed,”. 

“Organizations need to ensure that their suppliers and business partners are on par with the organization’s own security standards and continuously uphold their suppliers to that standard. This should be part of their supplier management process, including vetting and continuously monitoring these suppliers to take action on any change in the security.”