The leak of millions of fingerprints and other personal data has posed serious questions about how secure current biometrics technology is.
A tool used by many organisations worldwide to provide secure access to buildings has been proved to be insecure.
Researchers working for the cyber-security firm VPNMentor discovered a massive leak of data on the Biostar 2 biometrics platform. They spotted it in early August but it could have been a problem for much longer. It took a week before the data was made private by Biostar’s maker Suprema.
Researchers were able to view masses of private data without any security authentication. As well as fingerprint records, they found facial recognition data, names, addresses, passwords and employment histories. In total, 23 gigabytes of data, containing nearly 30 million records, was unencrypted.
Many British companies were affected including Tile Mountain – a homeware retailer which received no warning that data at its Stoke-On-Trent headquarters may have been compromised. The company’s IT director said the exposure could have contravened the European Union’s General Data Protection Regulation (GDPR) leading to a severe financial penalty.
Fears about the risks surrounding Biostar 2 were compounded by recent news that Suprema will be integrating Biostar 2 into AEOS, a separate security system used across 83 countries by major organizations such as governments, banks and the police.
Gary Jowett, from Computer & Network Consultants in Brighton, said: “The use of biometric data has distinct advantages for ensuring robust security. However, there are clearly serious issues that need to be ironed out before it can be used with confidence. The good news for British companies is that UK legislators may soon bring in tighter laws to control how such data is gathered and stored.
“Such alarming news about Biostar 2 suggests that all organisations need to include contingency measures to mitigate against the consequences of any future breaches. Measures that include an established process for communicating effectively with customers, partners and the ICO . For example, it’s essential that the ICO views favourably your organisation’s efforts to contain the problem. Otherwise, the UK regulator could impose the maximum penalty which, under the terms of the GDPR, is a significant percentage of annual turnover. Such a penalty could, for many small and medium-sized companies, have fatal consequences.”