Suprema’s Biometrics Database with Fingerprints, Face Photos, and Plain Text Passwords Found to Be Publicly Accessible
Josh Taylor, the Guardian:
The Israeli security researchers Noam Rotem and Ran Locar working with vpnmentor, a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks, and then use these blocks to find holes in companies’ systems that could potentially lead to data breaches.
In a search last week, the researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.
The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.
Biostar 2 is operated by Suprema, a Korean company, which means that this breach should be investigated under the country’s strict Personal Information Protection Act. If this report is true, it’s shocking that they did not bother to encrypt fingerprint data, staff details, or administrative usernames and passwords.