Biometric records on 1 million users have been exposed in a massive data breach of publicly exposed database. The records include fingerprints, facial recognition data, unencrypted usernames and passwords, and employee personal data.
According to a report by The Guardian, the exposed database was part of a web-based Biostar 2 biometrics lock system owned by security company Suprema. Biostar 2 is used by various banks, defense firms, and policy to help secure building facilities across 1.5 million locations. In addition, the biometric devices are centrally controlled and used to help identify individuals as they gain access to the facilities.
Security researchers Noam Rotem and Ran Locar discovered 27.8 million records and 23 gigabytes of information. Examples of data found include: fingerprint data, facial recognition data, user photos, unencrypted usernames and passwords, employee personal data, and other sensitive data.
“Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes,” the researchers said.
The Guardian said the vulnerability was closed on Wednesday, but had not heard back from Suprema since then.