The fingerprint and facial recognition information of some 2.78 million people around the world has been exposed thanks to an unsecured database.
Korean company Suprema claims to be a “global powerhouse in biometrics, security, and identity solutions” and sells its services to large companies all over the world including Union co-working spaces in the USA, and London's Metropolitan police. However, its vast database of fingerprint data, facial recognition data (and images of users), unencrypted usernames, passwords, and real-world home addresses was compromised — potentially exposing the data of people from around the world.
So what happened? Should you be concerned? And is there anything you can do?
Updated 08/15 with comment from Suprema
Suprema Biostar 2 Breach – What Happened?
Biostar 2 is Suprema's proprietary security database platform. The company prides itself on being a world leader in providing biometric security systems — using your face or fingerprint to unlock office doors, for example. Researchers discovered that the database had been breached on 5 August, and contacted the company two days later.
However, according to the researchers, Suprema was “very uncooperative,” after repeated attempts to contact the company over email and phone. They also tried to contact Biostar 2's GDPR compliance officer “but received no reply.”
After speaking to Suprema's French branch, the breach was finally resolved on August 13 — eight days after it was disclosed to Suprema.
At the moment, it's not clear whether any malicious actors have been able to access the information.
“The Company takes any report of this nature very seriously,” said Suprema's head of marketing Andy Ahn. “It is investigating the allegations in the press reports and will liaise with any appropriate third parties and/or individuals as necessary. At this stage, it cannot make any further comment but will, if appropriate, issue a further press statement in due course, including corrections of any erroneous assertions in the reports to date.”
We're not certain what the “erroneous assertions” might be but if any are reported, we'll update our story accordingly.
In a statement to The Guardian, which had advance access to the news about the leak, Andy Ahn said:
“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers' valuable businesses and assets.”
Ahn also commented that Suprema had taken an “in-depth evaluation” of the information provided and it would inform customers if there was a threat.
Biometric Data Breaches: Should You Be Concerned?
Absolutely. “The [Suprema] platform has over 1.5 million worldwide installations,” said the researchers commenting on the breach, “and all of these could be vulnerable to this leak. The total number of people affected could be in the tens of millions.”
If the 23GB of data seized in this breach ended up the hands of criminals, there could be some serious repercussions for users and businesses around the world. With full access to the Biostar 2 database, criminals “can use this database to quite literally walk into a room and take anything of value,” said the researchers. “This is true no matter the nature of the building, whether it's a small-town gym or a government office.
Criminals could also use the data from Biostar 2 to commit identity theft and fraud, as well as blackmailing and extorting regular people.
Is There Anything Affected Users Can Do?
Beyond changing your passwords, there doesn't seem to be a huge amount that regular users can do. After all, faces and fingerprints tend to be more permanent than passwords and usernames.
However, the researchers also commented that anyone concerned by the prospect of the breach should contact the businesses affected.
“Mistakes happen, and the real test is how you handle them,” said one of the researchers. “If you have a security team that can respond quickly and efficiently it’s good enough. If you have a security team that will send a legal team to threaten you, well, it’s less efficient.”
Find out more about keeping yourself safe online