A vast trove of biometric records containing more than a million fingerprints has been left exposed in a publicly accessible database, researchers have claimed.
The highly sensitive data was discovered by Israeli analysts and belongs to Suprema, a security company whose clients include banks and governments.
One of Suprema’s most popular products is a BioStar lock that uses fingerprints and facial recognition software to grant access to secure facilities, giving rise to fears that the digital vulnerability could lead to physical intrusions.
In a blog detailing the vulnerabilities, the researchers warned: “Once stolen, fingerprint and facial recognition information cannot be retrieved,” they wrote. “An individual will potentially be affected for the rest of their lives.”
According to the researchers, the vulnerability was discovered on 5 August and Suprema was contacted two days later. But it wasn’t until 13 August, following several attempts to make contact, that the vulnerability was fixed, the researchers claimed.
The exposed database included a total of 27.8m records featuring finger prints, facial images, unencrypted user names and passwords, employee records and logs of entry to secure areas, among other information.
“If researchers […] were able to gain access to the data from security tool, Biostar 2, then so too might hackers and the consequences of this would be vast,” said Nominet’s cyber chief Stuart Reed.
“Unlike many other cyber incidents that we’ve seen which compromise digital data, this breach directly crosses over into physical security, demonstrating just how dangerous the data could be in the wrong hands.”
Sign up to Emerging Threats, our weekly cyber security newsletter
Andrew Tsonchev, Darktrace’s technology director, added: “The exposure of Suprema’s biometric data and PII is arguably the most serious vulnerability yet discovered. Whilst other PII breaches, such as the recent Capital One hack, have involved greater numbers of affected users, the nature of the data in this case is unprecedentedly sensitive. The value of this data for reuse is extremely high. Unlike other forms of identification, biometric data cannot be changed.”
A Suprema spokesperson told the Guardian: ““If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets.”