Millions Of Biometric Records Collected By Companies And Governments Left Exposed On The Web
from the one-stop-shopping-for-identity-thieves dept
One of the many problems with collecting biometric data is you need to have someplace safe to store it. Sure, you could lock it away in something disconnected from the net, but then it's not much use to the dozens of private companies and government agencies that want access to the data they've collected. So, back on the web it goes, where it can be prodded for weaknesses by security researchers and malicious hackers alike.
We can only hope the security researchers got there first.
The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.
The data breach was discovered by vpnMentor researchers, who were performing their usual port scans and checking familiar IP blocks for weaknesses. They found a big one at BioStar 2, the third-party platform that provides access to the biometric databases maintained by over 5,700 companies and government agencies. Only minimal precautions were taken to protect BioStar's data from outside threats -- and even that minimal effort was easily thwarted.
The team discovered that huge parts of BioStar 2’s database are unprotected and mostly unencrypted. The company uses an Elasticsearch database, which is ordinarily not designed for URL use. However, we were able to access it via browser and manipulate the URL search criteria into exposing huge amounts of data.
Not only were the researchers able to see all of this sensitive data, they were also able to change it. Thanks to the list of unencrypted administrator usernames and passwords, researchers were able to add themselves to accounts and utilize stored privileges to examine BioStar 2's databases more thoroughly.
vpnMentor contacted BioStar 2 several times but was ignored repeatedly by its personnel. The only entity that was remotely helpful was the company's French branch, which was apparently instrumental in getting the breach closed. Even so, it still took eight days for BioStar to fix the hole in its system after being notified. vpnMentor didn't publish its findings until after this, but no one can say for sure how long this breach was accessible prior to its discovery by vpnMentor.
Names and passwords are certainly being changed in the wake of this discovery. But this breach was full of biometric info linked to other personally identifiable information held by BioStar 2's customers. Fingerprints and other biometric markers can't be changed. These are inextricably tied to whatever other sensitive information was collected by multiple entities -- much of which was stored in unencrypted form.
Suprema and BioStar 2 will probably take security more seriously in the future, but the damage is done. The fact that the marketing team is issuing statements on the breach rather than someone with direct knowledge of the situation isn't exactly reassuring. Neither is the issued statement, which suggests the company would have rather kept the breach buried, rather than be honest and direct with its users.
Suprema’s head of marketing, Andy Ahn, told the Guardian the company had taken an “in-depth evaluation” of the information provided by vpnmentor and would inform customers if there was a threat.
“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” Ahn said.
In other words, customers will only be informed of the breach if they've been targeted by criminals or malicious hackers. The rest of their customers aren't on the "need to know" list. Fortunately for its out-of-the-loop customers, vpnMentor has made the disclosure the company spent eight days not making.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: biometric records, fingerprints, privacy, security
Companies: biostar 2
Reader Comments
Subscribe: RSS
View by: Time | Thread
Ah, the big data world where companies collect all sorts of personal data and make it available to very crook and peeping tom on the Internet.
[ link to this | view in chronology ]
Re:
Otherwise known as the government and LEOs. ;)
[ link to this | view in chronology ]
Depends. What was actually stored? High resolution TIFFs of biometric marker visual data, or hashes based on the biometric data?
If it's the second, then BioStar just has to realize that their hashing system has now been compromised, trash all data that uses it, and use a new algorithm to generate new fingerprints. All the old data would, of course, then be useless and the database would need to be re-built from scratch.
[ link to this | view in chronology ]
Every day we read about whichever government wanting to have backdoors built in to various softwares and we're told that its because it's extremely unsafe if said government(s( cant read ALL messages from everyone to everyone else. We're also told not to concern ourselves because ALL our information will be 110% safe! However, it nakes not the slightest difference whether it's a government or a company, not a single one of either is capable of keeping an icelolly safe from the Sun! All are fucking useless at protection and none give a shit about anything or anyone being kept safe, as long as they get whatever it is they want!
[ link to this | view in chronology ]
My Bio-metrics have been stolen?
I guess I will need plastic surgery, eye, or at least iris replacement (fix my astigmatism while you at it), fingerprint reconfiguration, voice box rework, and couple of dozen bottles of Rogaine. Is there contact information for the insurance companies protecting these rat bastards where I can apply for the appropriate compensation? I assume lost time and the expense of letting everyone know the new me will be included.
[ link to this | view in chronology ]
Re: My Bio-metrics have been stolen?
Nope, just a year of free credit monitoring and your share of a $150k payout split 12 million ways. But that credit monitoring is worth $65 retail!!
[ link to this | view in chronology ]
Re: Re: My Bio-metrics have been stolen?
Really? WOW! I am sooo relieved.
[ link to this | view in chronology ]
Re: Re: My Bio-metrics have been stolen?
It's free credit monitoring OR your share of $150K split 12 million ways, not AND.
[ link to this | view in chronology ]
Re: Re: Re: My Bio-metrics have been stolen?
At least if a court ever needs to put an "official" dollar value on credit monitoring, we have a good way to get a number.
[ link to this | view in chronology ]
And this is the country that wants a database of people who watch porn.
[ link to this | view in chronology ]