A massive online scandal. 1 million fingertips became available for malicious intentions.
A security tool called Biostar 2, has been hacked and the data have been leaked online. 23 GB of data with 30 million records were found exposed online. They include 1 million fingerprints. Suprema runs Biostar 2, a biometric lock system controlling access and surveillance in secured buildings. The leak was discovered by Israeli researchers Noam Rotem and Ran Locar and the cybersecurity firm vpnMentor.
TIMELINE OF THE LEAK
Date discovered: 5th August 2019
Date vendors contacted: 7th August 2019
Date of Action: 13th August, it was fixed.
THE LEAKED DATA INCLUDE:
Access to client admin panels, dashboards, back end controls, and permissions
Facial recognition information and images of users
Unencrypted usernames, passwords, and user IDs
Records of entry and exit to secure areas
Employee records including start dates
Employee security levels and clearances
Personal details, including employee home address and emails
Businesses’ employee structures and hierarchies
Mobile device and OS information
In the "wrong" hands these data could wreak havoc of the lives of the victims. Of course, once they are stolen, unlike passwords, fingerprints are of permanent nature. This makes fingerprint data theft even more concerning. Fingerprints are replacing typed passwords on many consumer items, like phones. Most fingerprint scanners on consumer goods are unencrypted, so when a hacker develops technology to replicate your fingerprint, they will gain access to all the private information such as messages, photos, and payment methods stored on your device.
What Suprema did wrong? In the first place they were saving unencrypted information. In addition their databases had poor protection. Many passwords were found to be weak such as: "123456789", "password" or "abcd1234". The company should had followed a more rigorous safety plan in general, in order to protect the customers. Criminals with access to the leaked data could gain access to sensitive areas or even further sensitive personal information of the victims.