Massive Biometric Data Breach Creates Chaos for MSSPs

VPNMentor has reported a massive biometric data leak in BioStar 2.

The web-based biometric security smartlock app uses fingerprints and facial recognition to verify user identities and grant access to locked facilities and third-party security apps. It also used to manage user permissions and to record activity logs. VPNMentor’s team gained access to more than 1 million fingerprint records, plus a bounty of facial recognition information. The app is built by Suprema, a top 50 security manufacturer in the world, and the holder of the largest market share in EMEA for biometric access control.

“Combined with the personal details, usernames and passwords, the potential for criminal activity and fraud is massive,” wrote the researchers in their report.

The researchers discovered the leak on Aug. 5. They contacted the company to notify it of the data exposure, but found their efforts ignored or rebuffed. Eventually the company closed the breach on Aug. 13.

Specifically, the VPNMentor team reports it was able to access over 27.8 million records, a total of 23 gigabytes of data. The data was discovered on a publicly accessible database used by the likes of the U.K. Metropolitan police, defense contractors and banks. The exposed data included:

• Access to client admin panels, dashboards, back end controls, and permissions
• Fingerprint data
• Facial recognition information and images of users
• Unencrypted usernames, passwords, and user IDs
• Records of entry and exit to secure areas
• Employee records including start dates
• Employee security levels and clearances
• Personal details, including employees’ home addresses and emails
• Businesses’ employee structures and hierarchies
• Mobile device and OS information

Panorays’ Matan Or-El

“There have been numerous reports about exposed buckets of data, but this recent incident involving compromised biometric data from Suprema is particularly alarming: Unlike usernames and passwords, biometric information such as fingerprints and facial recognition records cannot be changed. And because Suprema is connected to thousands of organizations across the world, this compromised data has the power to rattle the entire supply chain,” said Matan Or-El, co-founder and CEO of Panorays.

Chaos for MSSPs and Other Security Providers

Now MSSPs and other channel partners are left to figure out how to secure everything from physical plants to company apps with so much biometric data available to criminals. The steps that need to be immediately taken vary some with the verticals that security providers are serving.

For example, for supply chains, it means doubling down on securing third-party vendor access.

“Organizations need to ensure that their suppliers and business partners are on par with the organization’s own security standards and continuously uphold their suppliers to that standard. This should be part of their supplier management process, including vetting and continuously monitoring these suppliers to take action on any change in the security,” advised Or-El.

For MSSP customers that serve consumers, it means double- and triple-checking every transaction.

NuData’s Robert Capps

“From a consumer perspective, high-resolution fingerprints are a dangerous data set, regardless of how the original data was intended to be used. The fact that we don’t know whether the stolen fingerprint data is full resolution or templatized, it is unclear whether the stolen biometric data will have any meaningful impact. We do know that other consumer information was made available by the vendor, and this information has the possibility of being used to access consumer accounts, including financial services accounts,” said Robert Capps, vice president and authentication strategist for NuData Security, a Mastercard company.

“It is advisable, therefore, that any company using Biostar 2 for physical access should make plans to …