A biometrics system used by UK police, defence contractors and banks has suffered a major data breach. This has left the fingerprints of over a million people publicly accessible. In addition to fingerprints, facial recognition data, unencrypted usernames, passwords, and personal information were also exposed.
Israeli security researchers Noam Rotem and Ran Locar from vpnMentor discovered the mostly unencrypted, and publicly accessible database. By manipulating the URL search criteria, the pair gained access to over 23GB of data, containing almost 28 million records.
The database belongs to the Biostar 2 biometric system, which is managed by a security company called Suprema. It’s a system that’s used to grant authorised individuals access to secure facilities.
The flaw meant that the researchers could add new users to the database, giving access to facilities the Biostar 2 system was meant to protect. The fingerprints in the database were also actual fingerprints that could be copied and used by others, rather than a hash of the fingerprint that can’t be reverse-engineered.
Rotem said that he and Locar made multiple attempts to contact Suprema to no avail, but the flaw has since been patched. Andy Ahn, Suprema’s head of marketing, told The Guardian that the company is has taken an “in-depth evaluation” of the information, and will inform its customers if there was a threat.