Blog

Security software ‘leaked a million fingerprints’

More than a million fingerprints and other sensitive data have been exposed online by a biometric security firm, researchers say.

Researchers working with cyber-security firm VPNMentor say they accessed data from a security tool called Biostar 2. It is used by thousands of companies worldwide, including the UK’s Metropolitan Police, to control access to specific parts of secure facilities. Among other firms whose data was discovered were:

  • Power World Gyms, a gym franchise in India and Sri Lanka – 113,796 user records including fingerprints
  • Global Village, an annual festival in the United Arab Emirates -15,000 fingerprints
  • Adecco Staffing, a Belgian human resources firm – 2,000 fingerprints

The UK Information Commissioner’s Office said it was aware of reports about Biostar 2 and would be making enquiries. The full news article can be read on BBC here.

Conosco’s Security Champion & Head Of Security, Hylton Stewart shares his view on the matter that has raised a lot of alarming questions from worried organisations about their security policies.

The Implications

Not all data breaches are equal, as this potential breach of biometric data shows. It is bad enough having to get a new credit card if your details are involved in a public data breach, but how are you going to change your fingerprints once your biometric data is leaked ?
Once this information is available on the web, chances are that it will circulate amongst malicious parties for quite a while.

Considerations

Biometric authentication using fingerprints or facial recognition, for example, can be a lot more secure than relying on passwords. However, when these are incorporated into any system there needs to be extra consideration given to securing this biometric data, and security best practices should be followed at all times.
Some possible considerations could be to ensure that the network that any biometric devices sit on is isolated as much as possible, and is not accessible from the public internet. Databases storing this data should be encrypted wherever possible, and cloud storage should be limited and tightly controlled as the risk of public access is generally higher.

Final Thoughts

With the rise of public facial recognition systems these days, the hope is that the government and private contractors deploying and managing these systems are adequately securing them, given the large scale access to biometric data involved.

We can Help

We pride ourselves on our Security knowledge and being proactive with our clients.

Our security team actively works with organisations to keep them secure in the face of ever changing threat landscape. If you are worried about your current Security, please get in touch with Conosco’s Security Division with your current security challenge via email or take a look at our security services here.