Report: Biometric data exposed in Suprema BioStar 2 breach

Aug. 22, 2019
Fingerprint and facial recognition data, personal info of users reportedly exposed

Last week, security researchers at vpnMentor announced that they had discovered a data breach in Suprema’s BioStar 2 biometric access control platform that exposed the fingerprint data of more than one million people. Other information compromised in the breach reportedly included facial recognition information, as well as the personal information of employees and unencrypted user names and passwords.

The researchers, who reported that they were able to access nearly 28 million records in total, said the compromised data could give hackers access to user accounts and access permissions that they could then use to physically infiltrate facilities that use the BioStar 2 system and manipulate their security protocols.

“This is a huge leak that endangers both the businesses and organizations involved, as well as their employees,” the researchers said in a statement. “Combined with the personal details, usernames, and passwords, the potential for criminal activity and fraud is massive.”

In a statement posted on the company’s website, Suprema President Young S. Moon said that the incident relates only to a limited number of BioStar 2 Cloud API users and that the vast majority of their customers do not use this in their access control and time management solutions.

“We launched an internal investigation and immediately closed the access point. We also engaged a leading global forensics firm to conduct an in-depth investigation into the incident,” added Moon. “Based on their investigation to date, they have confirmed that no further access has occurred and that the scope of potentially affected users is significantly less than recent public speculation.  

“We are currently in the process of identifying potentially affected parties and engaging the relevant authorities and regulators,” Moon continued. “We will inform any impacted parties with additional information as soon as feasibly possible.”

Experts Weigh-In

Danielle VanZandt, Industry Analyst for Security at market research firm Frost & Sullivan, says this breach will likely force biometric vendors to show their integrator partners and end users customers the specific steps they’ve taken to secure the data they’re systems collect.

“The significant breach and vulnerabilities recently discovered by vpnMentor researchers within Suprema’s BioStar 2 database are enough to scare any potential end user away from biometric security measures,” she says. “The consequences of data like this falling into the wrong hands could be catastrophic to an end user, particularly considering the breadth of BioStar 2’s customer base. Affected customers include gyms, co-working spaces, software consultancies, and consumer foods, medical, and industrial products manufacturers. It hits Suprema’s global customer base throughout North America, Europe, Asia, and the Middle East. Suprema has shown interest in expanding BioStar 2’s customer base to include government, banking, and law enforcement—verticals that will quickly shy away from any security vendor that does not have proper data security protocols in place.

VanZandt emphasizes, however, that the breach will do little to slow down the adoption of biometrics across the industry.

“The sheer scale of BioStar 2, unfortunately, made the system one of the first to reveal the vulnerabilities of biometric access control solutions; however, this will not stop the exponential growth and adoption rates of biometric solutions,” she adds. "Fingerprint and facial recognition remain the most in-demand biometrics out there for physical access solutions across various industries. This breach will not scare away potential end-user purchases; rather, it will serve to inform them of the types of security protocols a vendor must have in place before a potential end user finalizes any new system purchase. Vendors must be ready to answer end-user questions about data access, precisely how their solution stores biometric data, and what encryption protocols are in place.”

According to Matan Or-El, Co-Founder and CEO of Panorays, this breach is particularly alarming given the number of deployments Suprema technology is in around the world and the potential it has to reverberate throughout the supply chain of organizations.

“This event underscores the very real need for organizations to be vigilant about how they outsource their customer and employee data and how that data is stored and processed,” he says. “Organizations need to ensure that their suppliers and business partners are on par with the organization’s own security standards and continuously uphold their suppliers to that standard. This should be part of their supplier management process, including vetting and continuously monitoring these suppliers to take action on any change in the security.”

Despite the advanced security offered by biometrics, Willy Leichter, VP of Marketing for Virsec, says that tools like fingerprint and facial recognition solutions are for naught if the data they use to operate can’t be protected

“Unfortunately, leaking of biometric source information is the inevitable next step in a long line of security blunders. With any authentication method, from passwords to advanced biometrics, security is only as strong as its weakest link,” Leichter says. “With all the hype around biometrics and AI, we tend to overlook the basics – we’re entrusting increasingly unchangeable personal data to a network of third parties with little oversight, and few enforceable standards over how priceless personal data is handled. While GDPR lays out principles for data protection, these need to be swiftly and severely enforced for organizations that are clearly reckless.”