FB pixel

Millions of unencrypted biometric fingerprint and face records exposed to web; Suprema responds


Internet privacy researchers have found a huge database of publicly exposed, unencrypted biometric fingerprint and facial images from thousands of organizations in numerous countries. Researchers from vpnMentor discovered they could access databases for the BioStar 2 physical access control system from Suprema, and found more than 1 million fingerprint records as well as facial recognition data, according to a blog post.

In addition to biometrics, the security breach exposed personal information and unencrypted usernames and passwords, according to researchers Noam Rotem and Ran Locar. Their team was able to access 27.8 million records, and 23 gigabytes of data, none of which seems to have been securely hashed. The researchers also note that numerous simple and unsecure passwords were found among the exposed credentials. The unhashed biometric data, unlike the passwords, cannot be changed, however.

The breach was discovered on August 5, the vendor contacted on August 7, and the breach was closed on August 13.

The researchers were able to find credentials for administrator accounts, and also to change or add entries to databases, raising the possibility that a malicious actor could have leveraged the breach to break into biometrically protected buildings or rooms, as well as other systems.

Rotem told The Guardian that Suprema is far from the only company with vulnerable data online.

“It’s very common. There’s literally millions of open systems, and going through them is a very tedious process,” he said. “And some of the systems are quite sensitive.”

“Mistakes happen, and the real test is how you handle them,” Rotem adds.

BioStar 2 was recently integrated with the AEOS access control system by Nedap, which serves the UK Metropolitan Police, large multinational enterprises, governments and banks.

Suprema Head of Marketing Andy Ahn told The Guardian the company has undertaken an “in depth evaluation” of the breach report.

“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Ahn says.

In an emailed statement to Biometric Update, Ahn said that “Suprema Inc. is aware of the reports in the press regarding its BioStar 2 platform and the alleged unauthorized access to data involving vpnMentor. The Company takes any report of this nature very seriously. It is investigating the allegations in the press reports and will liaise with any appropriate third parties and/or individuals as necessary. At this stage, it cannot make any further comment but will, if appropriate, issue a further press statement in due course, including corrections of any erroneous assertions in the reports to date.”

Digital Barriers CEO Zak Doffman writes in an article for Forbes that providing biometric information to a large number of organizations creates risk, and what is needed is actually “some kind of unified platform” to limit the number of instances of stored biometric data, with other parties gaining access to it “as a service.”

Updated at 3:35 pm on August 15, 2019 with a statement from Suprema.

Article Topics

 |   |   |   | 

Latest Biometrics News


New FaceTec CLO among avalanche of appointments in biometrics and fraud protection

New executives have been named by biometrics providers FaceTec, Pindrop and Fingerprint Cards, along with C-level appointments by Prove and…


Indonesia issues call for World Bank-backed digital identification project

Indonesia is looking for a company providing consulting services as a part of its upcoming digital transformation project backed by…


Affinidi data sharing framework leverages privacy-preserving open standards

Affinidi, a company specializing in data and identity management, unveiled the Affinidi Iota framework at the WeAreDevelopers World Congress. This…


Sri Lanka set for January biometric passport launch, plans airport upgrades

Sri Lanka is preparing to begin issuing biometric passports with electronic chips embedded as of January, 2025, according to a…


Vending machines with biometric age verification roll out in Germany, US

Vending machines are growing in popularity as a way to sell age-restricted products around the world, with Diebold Nixdorf algorithms…


San Francisco police hit with lawsuit over facial recognition use

In 2019, San Francisco became the first city in the U.S. to ban facial recognition technology, forcing the police and…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events