28M Records Exposed in Biometric Security Data Breach
- by 7wData
Reach key decision makers with sales-ready leads that shorten your sales process. Move the needle by delivering funnel qualified leads to your sales team. Learn more.
Researchers associated with vpnMentor, which provides virtual private network reviews, on Wednesday reported a data breach involving nearly 28 million records in a BioStar 2 biometric Security database belonging to Suprema.
"BioStar 2's database was left open, unprotected and unencrypted," vpnMentor said in an email provided to TechNewsWorld by a company staffer who identified himself as "Guy."
"After we reached out to them, they were able to close the leak," vpnMentor said.
The leak was discovered on Aug. 5 and vpnMentor reached out to Suprema on Aug. 7. The leak was closed Aug. 13.
The vpnMentor team gained access to client admin panels, dashboards, back-end controls and permissions, which ultimately exposed 23 GB of records:
The team was able to access information from a variety of businesses worldwide:
The data vpnMentor found exposed would have given any criminals who might have acquired it complete access to admin accounts on BioStar 2. That would let the criminals take over high-level accounts with complete user permissions and Security clearances; make changes to the security settings network-wide; and create new user accounts, complete with facial recognition and fingerprints, to gain access to secure areas.
The data in question also would allow hackers to hijack user accounts and change the biometric data in them to access restricted areas. They would have access to activity logs, so their activities could be concealed or deleted. The stolen data would enable phishing campaigns targeting high-level individuals, and make phishing easier.
"There's not much a consumer can do here, since you can't really change your fingerprints or facial structure," observed Robert Capps, authentication strategist at NuData Security, a Mastercard company.
However, a data thief would require access to the consumer's device to commit biometric authentication fraud at that level.
"Data is not free," noted Colin Bastable, CEO of Lucy Security.
"There is a responsibility that goes with capturing it. If you cannot afford it, don't keep it," he told TechNewsWorld.
Many of the accounts had simple passwords like "password" and "abcd1234," vpnMentor pointed out.
"I can't see any excuse for using such passwords for real-world applications," Bastable said.
Still, "these are common passwords still used by consumers today," Capps told TechNewsWorld. "It's also possible that these are default passwords set when the account was created, but never changed."
Using simple passwords for any purpose is "an incredibly bad idea," Capps said. "It's a best practice to create a complex password that is memorable, or use a password manager to create highly complex passwords that are unique to a single account."
Best practices and standards for safe and secure password storage "have been available for decades," he pointed out.
[Social9_Share class=”s9-widget-wrapper”]
Upcoming Events
From Text to Value: Pairing Text Analytics and Generative AI
21 May 2024
5 PM CET – 6 PM CET
Read MoreCategories
You Might Be Interested In
5 underappreciated skills for leading digital transformation
15 Aug, 2019In 2006 I got my first job in IT, running a support team and a software testing team. I didn’t …
Cloud data management on the road to intelligent data management
10 Jun, 2019Cloud data management on the rise – road to intelligent data management Organizations invest in digital initiatives with technologies such …
The misanthrope’s vain struggle with big data
21 Apr, 2017Thousands of companies today declare they plan to invest in big data, sometimes with legitimate reasons. They want to hire …
Recent Jobs
Do You Want to Share Your Story?
Bring your insights on Data, Visualization, Innovation or Business Agility to our community. Let them learn from your experience.