A security flaw in a biometric system used by banks, police and defense companies in the UK left over a million fingerprints exposed, according to The Guardian.
The huge data breach has also laid bare unencrypted passwords, facial recognition data and various elements relating to personal data.
Security company Suprema used the Biostar 2 lock system to allow persons authorized access to buildings through fingerprints and facial recognition technology. The platform was integrated into another access system called AEOS which is used by 5,700 organizations across 83 countries, with UK Metropolitan Police one of those entities.
The breach was found by a pair of Israeli researchers, Noam Rotem and Ran Locar, via VPN review service vpnmentor. The researchers were conducting a routine network scan last week when they realized that the Biostar 2 database was available to the public. Furthermore, they were able to access nearly 28 million records and 23GB of data by manipulating URL search criteria. Said records include fingerprints, facial recognition data, passwords, and security clearance information.
Rotem told The Guardian said that the flaw made it possible for him to alter data and even add new users, meaning he could input his own biometrics and gain access into facilities the original user was permitted entry into.
“We were able to find plain-text passwords of administrator accounts,” he explained. “The access allows first of all seeing millions of users are using this system to access different locations and see in real time which user enters which facility or which room in each facility, even.
“We [were] able to change data and add new users."
He says the team made several attempts to get in touch with Suprema but all efforts proved futile. They decided to take their findings to the press and had not heard back from the company at the time of writing.
Suprema's head of marketing Andy Ahn told The Guardian that the firm had made a thorough investigation of vpnmentor's research and would alert customers if there was a threat.
The vulnerability has since been dealt with and data is no longer accessible but the persons who found the breach haven't gotten so much as a thank you from Suprema.