28M Records Exposed in Biometric Security Data Breach
By Richard Adhikari
Aug 15, 2019 2:31 AM PT
a team of researchers discovered a huge unprotected trove of biometric security records

Researchers associated with vpnMentor, which provides virtual private network reviews, on Wednesday reported a data breach involving nearly 28 million records in a BioStar 2 biometric security database belonging to Suprema.

"BioStar 2's database was left open, unprotected and unencrypted," vpnMentor said in an email provided to TechNewsWorld by a company staffer who identified himself as "Guy."

"After we reached out to them, they were able to close the leak," vpnMentor said.

BioStar 2 is Suprema's Web-based, open, integrated security platform.

The leak was discovered on Aug. 5 and vpnMentor reached out to Suprema on Aug. 7. The leak was closed Aug. 13.

What Was Taken

The vpnMentor team gained access to client admin panels, dashboards, back-end controls and permissions, which ultimately exposed 23 GB of records:

  • Fingerprint data;
  • Facial recognition information and images of users;
  • Unencrypted usernames, passwords and user IDs;
  • Records of entry and exit to secure areas;
  • Employee records including start dates;
  • Employee security levels and clearances;
  • Personal details, including employee home address and emails;
  • Businesses' employee structures and hierarchies; and
  • Mobile device and OS information.

The team was able to access information from a variety of businesses worldwide:

  • United States-based organizations Union Member House, Lits Link and Phoenix Medical;
  • UK-based Associated Polymer Resources, Tile Mountain and Farla Medical;
  • Finland's Euro Park;
  • Japan's Inspired.Lab;
  • Belgium's Adecco Staffing; and
  • Germany's Identbase.de.

The data vpnMentor found exposed would have given any criminals who might have acquired it complete access to admin accounts on BioStar 2. That would let the criminals take over high-level accounts with complete user permissions and security clearances; make changes to the security settings network-wide; and create new user accounts, complete with facial recognition and fingerprints, to gain access to secure areas.

The data in question also would allow hackers to hijack user accounts and change the biometric data in them to access restricted areas. They would have access to activity logs, so their activities could be concealed or deleted. The stolen data would enable phishing campaigns targeting high-level individuals, and make phishing easier.

"There's not much a consumer can do here, since you can't really change your fingerprints or facial structure," observed Robert Capps, authentication strategist at NuData Security, a Mastercard company.

However, a data thief would require access to the consumer's device to commit biometric authentication fraud at that level.

"Data is not free," noted Colin Bastable, CEO of Lucy Security.

"There is a responsibility that goes with capturing it. If you cannot afford it, don't keep it," he told TechNewsWorld.

The Care and Feeding of Passwords

Many of the accounts had simple passwords like "password" and "abcd1234," vpnMentor pointed out.

"I can't see any excuse for using such passwords for real-world applications," Bastable said.

Still, "these are common passwords still used by consumers today," Capps told TechNewsWorld. "It's also possible that these are default passwords set when the account was created, but never changed."

Using simple passwords for any purpose is "an incredibly bad idea," Capps said. "It's a best practice to create a complex password that is memorable, or use a password manager to create highly complex passwords that are unique to a single account."

Best practices and standards for safe and secure password storage "have been available for decades," he pointed out.

The vpnMentor team easily viewed more complicated passwords used with other accounts in the BioStar 2 database, because they were stored as plain text files instead of securely hashed.

"If [this] is for real, then it is a fundamental failure of security practice," Bastable said. "It's not as if encryption is a lost art or horrendously expensive."

Passwords never should be stored as plain text, Capps cautioned. Even hashing passwords can be a problem if a weak algorithm or short password is used.

"Many weaker hashing algorithms have had 'rainbow tables' -- precomputed hash results for simple text strings -- that allow the hashed password to be mapped back to their clear text format," he explained. "This allows for simple recovery of some hashed data."

The Greater Danger

Suprema this spring announced the integration of its BioStar 2 solution with the AEOS access control system from Nedap.

More than 5,700 organizations in 83 countries use AEOS. Those entities include businesses, governments, banks and the UK Metropolitan police.

The integration is so seamless that operators can continue working in AEOS to manage finger enrollment and biometric identities without switching screens. Biometric profiles are stored in BioStar and are synchronized with AEOS constantly. SSL certificates protect the synchronization.

Both Nedap's and Suprema's clients deal with an exceptional variety of security requirements.

"This can make project implementation complex in nature. The primary goal for this integration has always been to provide a truly flexible and scalable solution that's easy to implement and maintain," observed Ruben Brinkman, alliance manager at Nedcap.

"This points to a major issue. Convenience is often achieved at a high but hidden cost in terms of compromised security," Bastable said. "When you seamlessly integrate with another technology, you adopt their security practices and hand these on to your customers."

The first projects incorporating both firms' technologies are in the pipeline.

"As a whole, biometric verification is still effective and safe," NuData's Capps noted. "Individual implementations may be suspect, depending on the sophistication, security acumen and forward-looking designs implemented."

Biometric Systems and Safety

"Sadly, there is an assumption that security companies which offer [biometric] technologies are in themselves paragons of security virtue," Lucy Security's Bastable said.

"Ask the hard questions of their data security. Don't trust, but do verify, because your own security relies on your third-party suppliers and partners," he advised.

"Encrypt," Bastable added. "Use hardware key security. Tokenization. Have a sound policy, test it -- and don't allow superusers who can abuse their access."


Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.