It was reported this week by The Guardian and Forbes that security researchers from Vpnmentor have discovered and published a report that Suprema, a company that collects and monitors biometric information such as fingerprints and facial recognition data, has left exposed the biometric information of 28 million records and 23 gigabytes of data insecure.
Suprema services police departments, banks and defense contractors, and provides identity and time and attendance solutions, fingerprint scanners, and mobile authentication tools for employers. According to The Guardian, the system involved is Suprema’s Biostar 2 biometric identity solution, which “is used by 5,700 organisations in 83 countries, including governments, banks and the police.”
According to the researchers, highly sensitive biometric data and administrative usernames and passwords were left unencrypted. The researchers found plain-text passwords of administrator accounts and they were “able to change data and add new users.” The ability to add new users or manipulate the integrity of the data is frightening. The theft of biometric information also is frightening because we only have one set of fingerprints and one face. The researchers stated “they are saving people’s actual fingerprints that can be copied for malicious purposes.”
Suprema says it has shut down the vulnerability and is investigating the report. The information that was reported exposed includes “fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.”