Update: The Information Commissioner's Office has confirmed it is aware of the report and will be making enquiries into the incident
The biometric data, unencrypted passwords, and personal data of over one million people have been discovered sitting on a publicly accessible database belonging to a company that serves the likes of the UK Metropolitan Police and banking groups.
Alongside data theft, it's believed that, if exploited, the information could be used by hackers to manipulate control systems into allowing them entry into secure facilities.
The data trove is associated with the Biostar 2 biometrics system, a web-based centralised lock application that allows admins to create controlled access points to secure facilities. Biostar 2, which is owned and operated by security firm Suprema, collects facial recognition and fingerprint data on those accessing a building.
Suprema announced last month that it would be integrating Biostar 2 into its other access control system AEOS, one said to be used by over 5,700 organisations across 83 countries, including the Met police.
According to a report published today by cyber security researchers and ethical hackers Noam Rotem and Ran Locar, working alongside VPN review site vpnMentor, the pair discovered the breach as part of a web-mapping project. This is designed to scan ports for familiar IP blocks and then use these to test for vulnerabilities.
As part of that project, they stumbled across the Biostar 2 system, quickly discovering that a database of sensitive information had been left unencrypted and publicly available. Using Elasticsearch to navigate through the database, the researchers were able to access over 27.8 million records, totalling 23GB.
Fingerprint data, facial recognition information and user images, unencrypted passwords and usernames, employee records, email and home addresses, mobile device information, and data relating to the organisation's hierarchy were all found on the database, according to the team.
Speaking to the Guardian, the team also revealed that by analysing the data they could see who was requesting access to secure sites in real time.
"We were able to find plain-text passwords of administrator accounts," said Rotem. "The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even."
Having access meant he could change the user IDs associated with those secure facilities, and even edit accounts to assign his own fingerprint, granting himself authorised access to a building.
The researchers also noted that a large proportion of the unencrypted passwords were "ridiculously simple", often following simple strings like 'abcd1234' and, in some cases, 'Password'. Those that were more complex were undone by the fact that Biostar 2 had stored these in plain text.
"Instead of saving a hash of the fingerprint (that can't be reverse-engineered) they are saving people's actual fingerprints that can be copied for malicious purposes," the team explained.
It's believed that Biostar 2 has over 1.5 million installations worldwide, all of which could be vulnerable to the leak, according to the team. This could potentially put tens of millions of users at risk of data loss.
The team said it had contacted Suprema early into their investigations, however, they found the company to be "generally very uncooperative", with numerous contact attempts going unanswered. It wasn't until the team made contact with a French branch of Suprema that their report was acknowledged and work was carried out to plug the breach.
Suprema is said to have failed to deploy basic security precautions to avoid a breach of this kind. The researchers have urged companies to check their databases are protected against public access and that any highly sensitive data, such as fingerprints, are saved as a hash rather than in their original form.
The research team has also urged those companies who use Biostar 2 to contact Suprema directly, and to change the dashboard passwords of each user immediately.
IT Pro has contacted the Metropolitan Police, and a number of companies potentially affected by the breach, for comment.
UK DIY and tile specialists Tile Mountain was one of a number of companies said to have been affected by the breach. In a statement seen by IT Pro, the company said that it had not been an active Suprema customer since February 2018, and that all biometric data from that date had been sored on internal servers.
"Tile Mountain takes data protection very seriously and following the Biostar 2 data breach, an internal investigation has been conducted to ensure that proprietary systems - as well as any third-party platforms and the data held by them - are secure," said Colin Hampson, IT director at Tile Mountain.
"Despite Tile Mountain not being an active client of Suprema it is concerning that no contact was made to inform us that data may have been compromised - this could potentially have prevented Tile Mountain from carrying out its obligations under GDPR.
"However, Tile Mountain is satisfied that employee and customer data remains secure and has taken the necessary steps to ensure that internal servers and systems that are integrated with third-party platforms have the necessary protections in place to prevent such breaches."
