How 23 GB of Data were Leaked Online?

A massive online scandal. 1 million fingertips became available for malicious intentions.

A security tool called Biostar 2, has been hacked and the data have been leaked online. 23 GB of data with 30 million records were found exposed online. They include 1 million fingerprints. Suprema runs Biostar 2, a biometric lock system controlling access and surveillance in secured buildings. The leak was discovered by Israeli researchers Noam Rotem and Ran Locar and the cybersecurity firm vpnMentor.

TIMELINE OF THE LEAK

• Date discovered: 5th August 2019

• Date vendors contacted: 7th August 2019

• Date of Action: 13th August, it was fixed.

THE LEAKED DATA INCLUDE:

1. Access to client admin panels, dashboards, back end controls, and permissions

2. Fingerprint data

3. Facial recognition information and images of users

4. Unencrypted usernames, passwords, and user IDs

5. Records of entry and exit to secure areas

6. Employee records including start dates

7. Employee security levels and clearances

8. Personal details, including employee home address and emails

9. Businesses’ employee structures and hierarchies

10. Mobile device and OS information

In the "wrong" hands these data could wreak havoc of the lives of the victims. Of course, once they are stolen, unlike passwords, fingerprints are of permanent nature. This makes fingerprint data theft even more concerning. Fingerprints are replacing typed passwords on many consumer items, like phones. Most fingerprint scanners on consumer goods are unencrypted, so when a hacker develops technology to replicate your fingerprint, they will gain access to all the private information such as messages, photos, and payment methods stored on your device.

What Suprema did wrong? In the first place they were saving unencrypted information. In addition their databases had poor protection. Many passwords were found to be weak such as: "123456789", "password" or "abcd1234". The company should had followed a more rigorous safety plan in general, in order to protect the customers. Criminals with access to the leaked data could gain access to sensitive areas or even further sensitive personal information of the victims.