Reach key decision makers with sales-ready leads that shorten your sales process. Move the needle by delivering funnel qualified leads to your sales team. Learn more.
Researchers associated with vpnMentor, which provides virtual private network reviews, on Wednesday reported a data breach involving nearly 28 million records in a BioStar 2 biometric Security database belonging to Suprema.
"BioStar 2's database was left open, unprotected and unencrypted," vpnMentor said in an email provided to TechNewsWorld by a company staffer who identified himself as "Guy."
"After we reached out to them, they were able to close the leak," vpnMentor said.
The leak was discovered on Aug. 5 and vpnMentor reached out to Suprema on Aug. 7. The leak was closed Aug. 13.
The vpnMentor team gained access to client admin panels, dashboards, back-end controls and permissions, which ultimately exposed 23 GB of records:
The team was able to access information from a variety of businesses worldwide:
The data vpnMentor found exposed would have given any criminals who might have acquired it complete access to admin accounts on BioStar 2. That would let the criminals take over high-level accounts with complete user permissions and Security clearances; make changes to the security settings network-wide; and create new user accounts, complete with facial recognition and fingerprints, to gain access to secure areas.
The data in question also would allow hackers to hijack user accounts and change the biometric data in them to access restricted areas. They would have access to activity logs, so their activities could be concealed or deleted. The stolen data would enable phishing campaigns targeting high-level individuals, and make phishing easier.
"There's not much a consumer can do here, since you can't really change your fingerprints or facial structure," observed Robert Capps, authentication strategist at NuData Security, a Mastercard company.
However, a data thief would require access to the consumer's device to commit biometric authentication fraud at that level.
"Data is not free," noted Colin Bastable, CEO of Lucy Security.
"There is a responsibility that goes with capturing it. If you cannot afford it, don't keep it," he told TechNewsWorld.
Many of the accounts had simple passwords like "password" and "abcd1234," vpnMentor pointed out.
"I can't see any excuse for using such passwords for real-world applications," Bastable said.
Still, "these are common passwords still used by consumers today," Capps told TechNewsWorld. "It's also possible that these are default passwords set when the account was created, but never changed."
Using simple passwords for any purpose is "an incredibly bad idea," Capps said. "It's a best practice to create a complex password that is memorable, or use a password manager to create highly complex passwords that are unique to a single account."
Best practices and standards for safe and secure password storage "have been available for decades," he pointed out.
