Suprema issues statement on biometric records exposure

Suprema has responded to the recent cybersecurity incident in which unencrypted biometric records from the BioStar 2 access control system were exposed to the internet.

“There are no indications that the data was downloaded during the incident based on the investigation to date. Please rest assured that this incident relates to a limited number of BioStar 2 Cloud API users. The vast majority of Suprema customers do not use BioStar 2 Cloud API in their access control and time management solutions,” Suprema Inc. President Young S. Moon says in a statement.

“We launched an internal investigation and immediately closed the access point. We also engaged a leading global forensics firm to conduct an in-depth investigation into the incident. Based on their investigation to date, they have confirmed that no further access has occurred and that the scope of potentially affected users is significantly less than recent public speculation.

“We are currently in the process of identifying potentially affected parties and engaging the relevant authorities and regulators. We will inform any impacted parties with additional information as soon as feasible possible.

“While we are unable to provide further details at this stage, as investigations are ongoing, it remains our priority to continue providing outstanding products and services to our customers as well as our distributors.”

Security researcher Noam Rotem questioned the preliminary findings of the third-party forensics investigator in comments to Verdict.

“They never asked us where we accessed the data from, so they cannot know who accessed it,” Rotem said. “We always take the trouble of accessing these systems from at least two separate countries exactly for this purpose.”

While it is possible the company could have traced the leak through server logs, according to Rotem, if they have access to them, they would “know from which IP addresses the data was accessed, and not necessarily the identity of the people who accessed it. But at least they’d have a number to know how many people accessed it, when, and what did they do.”

Verdict also reports that the UK’s Information Commissioner’s Office has said it is aware of media reports on the matter and will look into it.

Article Topics

biometric data  |  biometric database  |  biometrics  |  data protection  |  data storage  |  Suprema