VPNMentor has reported a massive biometric data leak in BioStar 2.

The web-based biometric security smartlock app uses fingerprints and facial recognition to verify user identities and grant access to locked facilities and third-party security apps. It also used to manage user permissions and to record activity logs. VPNMentor’s team gained access to more than 1 million fingerprint records, plus a bounty of facial recognition information. The app is built by Suprema, a top 50 security manufacturer in the world, and the holder of the largest market share in EMEA for biometric access control.

“Combined with the personal details, usernames and passwords, the potential for criminal activity and fraud is massive,” wrote the researchers in their report.

The researchers discovered the leak on Aug. 5. They contacted the company to notify it of the data exposure, but found their efforts ignored or rebuffed. Eventually the company closed the breach on Aug. 13.

Specifically, the VPNMentor team reports it was able to access over 27.8 million records, a total of 23 gigabytes of data. The data was discovered on a publicly accessible database used by the likes of the U.K. Metropolitan police, defense contractors and banks. The exposed data included:

Panorays’ Matan Or-El

“There have been numerous reports about exposed buckets of data, but this recent incident involving compromised biometric data from Suprema is particularly alarming: Unlike usernames and passwords, biometric information such as fingerprints and facial recognition records cannot be changed. And because Suprema is connected to thousands of organizations across the world, this compromised data has the power to rattle the entire supply chain,” said Matan Or-El, co-founder and CEO of Panorays.

Chaos for MSSPs and Other Security Providers

Now MSSPs and other channel partners are left to figure out how to secure everything from physical plants to company apps with so much biometric data available to criminals. The steps that need to be immediately taken vary some with the verticals that security providers are serving.

For example, for supply chains, it means doubling down on securing third-party vendor access.

“Organizations need to ensure that their suppliers and business partners are on par with the organization’s own security standards and continuously uphold their suppliers to that standard. This should be part of their supplier management process, including vetting and continuously monitoring these suppliers to take action on any change in the security,” advised Or-El.

For MSSP customers that serve consumers, it means double- and triple-checking every transaction.

NuData’s Robert Capps

“From a consumer perspective, high-resolution fingerprints are a dangerous data set, regardless of how the original data was intended to be used. The fact that we don’t know whether the stolen fingerprint data is full resolution or templatized, it is unclear whether the stolen biometric data will have any meaningful impact. We do know that other consumer information was made available by the vendor, and this information has the possibility of being used to access consumer accounts, including financial services accounts,” said Robert Capps, vice president and authentication strategist for NuData Security, a Mastercard company.

“It is advisable, therefore, that any company using Biostar 2 for physical access should make plans to …

… ensure their facilities remain secure until the full scope of the vulnerability is known, and consumers whose information was contained in the breach take precautions to protect any accounts related to the information disclosed in the breach,” Capps added.

Question Biometric and AI Protections

But there are also general steps any company affected by this biometric data leak, either directly or indirectly, should take now.

Headshot of Comforte’s Felix Rosbach

“Cybersecurity is not only about preventing breaches; it is also about protecting the data itself to make it a worthless treasure for attackers. In this case, tokenization would have been a great approach to make sure that clear text data elements are exchanged by a substitute,” said Felix Rosbach, product manager with Comforte AG.

“It is not possible to use, add or change data sets in a database that only contains tokenized data. This prevents attackers from changing or adding user accounts, facial recognition information or fingerprints to access whatever building that user is authorized to access,” Rosbach added.

Unquestioned reliance on biometrics and artificial intelligence (AI) must also come to an end. Neither technology is unbeatable in proving user identities. Due diligence is necessary and vital in vetting these vendors too.

“With all the hype around biometrics and AI, we tend to overlook the basics — we’re entrusting increasingly unchangeable personal data to a network of third parties with little oversight, and few enforceable standards over how priceless personal data is handled,” said Willy Leichter, vice president of marketing at Virsec.

However, it likely will take government muscle to completely shut down vendor security negligence.

“While GDPR lays out principles for data protection, these need to be swiftly and severely enforced for organizations that are clearly reckless,” said Leichter.