Aug 15, 2019 11:40:00

It turned out that about 28 million biometric records managed by security companies were leaked

An Israeli VPN auditing service company,

vpnMentor , revealed that a large-scale data breach occurred in the security service 'BioStar 2'. The leaked data included a total of more than 27.8 million data including fingerprints and facial photos used for biometric authentication, as well as unencrypted IDs and passwords.

Report: Data Breach in Biometric Security Platform Affecting Millions of Users
https://www.vpnmentor.com/blog/report-biostar2-leak/

“BioStar 2” is a security service provided by South Korean company Suprema to government institutions, banks, universities, defense contractors, police, multinational corporations, and other facilities around the world. Suprema is one of the top 50 companies in the world in the field of security, and is the leading company with the top share in biometric authentication services in Europe, the Middle East and Africa.

In July 2019, Suprema expanded the database by integrating the access control system “AEOS” and BioStar 2 systems used in a total of 5700 facilities in 83 countries. Noun Rotem and Ran Locar, vpnMentor researchers, have been working on another project that vpnMentor was doing, and the BioStar 2 database was stored on the open internet in an unencrypted state. I discovered by chance.

When you play the following movie released by vpnMentor, you can see how the contents of the database are unlimited.

Report: Biostar 2 Data Leak-YouTube


When the movie starts, the index information of the database is displayed, but you can see that it is easy to watch on the Internet because it uses a web browser instead of a special tool for browsing.

In addition, information such as user ID, password, user name, and so on ...

Even the analysis console of the open source software

Elasticsearch used to build the database is visible.

This database consists of more than 27.8 million records and a total of 23 GB of data, including client fingerprints, face authentication data, face photos, plain text user names and passwords, facility entry / exit records, and employees It was said that it included personal information such as the employee's address and email address, and information such as the OS of the mobile device.

In addition, vpnMentor has been released as an example of some companies that suffered information leakage, but there is also the name of

Inspired.Lab , which has a coworking space in Tokyo, and Japanese companies have also suffered damage. You can see that you are receiving.

vpnMentor also reports that Suprema was not cooperative. The vpnMentor research team, who confirmed this issue on August 5, 2019, reported this to Suprema via email, but no response was received no matter how many times it was sent. Then, when I called the office of the German branch office, it was suddenly said that 'I can't speak with vpnMentor' and the phone was cut off. I also tried to contact the BioStar 2 compliance officer, who was appointed under the EU General Data Protection Regulation , but I couldn't get in touch.

Eventually, the database was closed due to the most supportive French branch response, but the response was taken on August 13, 2019, more than a week after vpnMentor discovered the problem. It was.

The research team at vpnMentor said, “If the manufacturer of BioStar 2 had taken basic security measures, this leak should have been easily avoided,” and the database had already been in the hands of malicious hackers. He points out that this is possible and encourages victims and users to take immediate action.