By Bill Minahan | August 16, 2019 | 0 Comments
August 2019: The first major biometric data leak has happened. And it’s exposed over a million individual fingerprints and facial recognition information.
The South Korean company Suprema runs Biostar 2, a cloud-based service that stores biometric data for companies and organizations worldwide.
According to a report from the Guardian, the company provides security services for the UK Police, banks, and defense contractors.
The fingerprints, facial recognition information, unencrypted usernames and passwords, and personal information of employees, were found on a publicly accessible database by internet security researchers Noam Rotem and Ran Locar.
The unprotected database housed over 27.8 million unencrypted records.
Unfortunately, it’s unclear how long this database was publicly available. It’s also unknown how many people accessed it.
Biometrics is a useful tool for authenticating a user, however, it’s also an irreplaceable part of a person’s identity. The companies and third parties we choose to share our biometric data with should be chosen with care.
Once your biometric data is compromised, you’re indefinitely at risk to future attacks and fraud. You can change your password, username, credit card number, etc., but you can’t change your fingerprints or your face.
However, the damage done by this leak is not yet clear.
Biostar2 provides biometric security lock systems for organizations to control access to facilities. The company uses fingerprints and facial recognition to identify people attempting to gain access to buildings.
It’s abundantly clear that the consequences for biometric data leaks are far-reaching and long-lasting.
Biometric data is inarguably one of the best ways to authenticate users’ identities. However, it should be a part of multifactor authentication (MFA). That way, biometric data on its own won’t be enough for cybercriminals. Read more about MFA and how it protects you here.
Businesses and individuals alike need to put the companies they trust to store this data under a larger microscope. Even if there was a misconfiguration that allowed public access to Biostar2’s database, the sensitive information should have been encrypted.
There should never have been passwords, usernames, photos, etc. left in plain text. Especially by a company that specializes in security. However, it’s a warning to businesses to ensure the security providers they partner with are taking their own medicine.
Unfortunately, this is likely the beginning in a long string of biometric leaks. On the bright side, this should bring issues like encryption, MFA, and privacy to the forefront.
Additionally, if you want to see where your companies vulnerabilities lie, take our free cyber security assessment. Start the conversation and protect your business.