Researchers discovered an unsecured database online owned by Suprema that contained the fingerprints and facial recognition information of one million people.
Researchers from
The 23-GB ElasticSearch archive was discovered earlier in August, data contained in the database were collected from
Data was collected by the UK Metropolitan police, small local businesses and governments globally.
“The data leaked in the breach is of a highly sensitive nature. It includes detailed personal information of employees and unencrypted usernames and passwords, giving hackers access to user accounts and permissions at facilities using BioStar 2.” reads the post published by vpnMentor. “Malicious agents could use this to hack into secure facilities and manipulate their security protocols for criminal activities.”

The archive included 27.8 million records that also contained sensitive data like employee home address and emails, employee records and security levels and more.
The leak affected several organizations worldwide, some examples of the impacted businesses included:
USA
- Union Member House – Coworking space and social club with 7,000 users.
- Lits Link – Software development consultancy.
- Phoenix Medical – Medical products manufacturer.
United Kingdom
- Associated Polymer Resources – Plastics recycling specialists.
- Tile Mountain – Home decor and DIY supplier.
Farla Medical – Medical supply store.
Germany
- Identbase – Data belonging to this supplier of commercial ID and access card printing technology was also found in the exposed database.
Scammers could perform various fraudulent activities by combining users’ fingerprint records with personal details, usernames, and passwords.
One of the most disconcerting issues of this case is that biometric data was stored in plain text.
At the time it is not possible to determine if the archive has been accessed by third parties, below the timeline shared by
- Date discovered: 5th August 2019
- Date vendors contacted: 7th August 2019
- Date of Action: 13th August, the breach was closed
Experts pointed out that BioStar 2 was very uncooperative,
“Facial recognition and fingerprint information cannot be changed. Once they are stolen, it can’t be undone. The unsecured manner in which BioStar 2 stores this information is worrying, considering its importance, and the fact that BioStar 2 is built by a security company.” concludes vpnMentor.
“Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes.
Putting all the data found in the leak together, criminals of all kinds could use this information for varied illegal and dangerous activities.”
[adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″]
[adrotate banner=”13″]