biostar 2 data breach iot security awareness training business infosec gdpr phish tests

BioStar 2 Exposed Fingerprint & Facial Recognition Data

Your fingerprint might be on the loose! 1 million individuals along with facial recognition information had their usernames and passwords exposed due to an unsecure database belonging to BioStar 2.

biostar 2 data breach iot security awareness training business infosec gdpr phish tests

About 23 GB worth of data consisting of 27.8 million sensitive biometric records were found exposed in a massive data breach involving biometric security platform BioStar 2. This is according to researchers from VPNMentor, who saw substantial portions of BioStar 2’s database left unprotected and unencrypted or insufficiently secured. The Suprema-owned BioStar 2 platform provides thousands of companies with biometrics security in order to restrict access to offices, buildings, and other private areas, as reported by TrendMicro.

BioStar 2 has recently been integrated with Nedap’s AEOS physical access control system, a security suite that connects physical locks, biometric readers, and other devices to keep buildings secure. The AEOS system is currently being used by over 5,700 organizations worldwide. With BioStar 2’s data leak, the sensitive biometric information of these organizations, including government units, financial companies, and even the UK’s Metropolitan Police, may have been compromised.

Sensitive information leaked in this data breach include 1 million fingerprints as well as facial recognition data and images. Access to dashboards and backend controls, usernames and passwords, and employee records were also uncovered. A recorded list of those who entered and left secured areas was also exposed.

The researchers also noted that they were able to easily access the accounts associated with this leak, as many of the accounts had default or easily decipherable passwords. Those with more complex passwords were also accessed because they were all saved as plain text to the database.

How to prevent or mitigate data breaches

Unprotected and unsecured databases are sure-fire entry points for cybercriminals who want to get hold of an organization’s sensitive data. Managed detection and response (MDR) services can help companies ensure that security gaps are bridged and that data breaches are mitigated or responded to. With round-the-clock security professionals correlating and analyzing threat intelligence, fielding and prioritizing alerts, and investigating and hunting threats, organizations can make the most out of their security solutions. MDR provides organizations with security capabilities that can help them anticipate and thwart known (or unknown) threats and, in the event of a compromise, remediate the incident faster.

biostar 2 data breach iot security awareness training business infosec gdpr phish tests

Enterprises are under increasing pressure to protect data. They can face client backlash, severe financial hits, and regulatory compliance fines if they do not properly secure the data they collect. There are many ways an organization can be breached — from compromised third-party suppliers to vulnerable tools and applications. Other factors can also expose systems to a data breach, from misconfiguration and patch lags to unsecure software or system components.

Organizations and users can also implement some of these best practices to secure data.

For enterprises:

  • Identify the weak spots in your organization’s security infrastructure — including your supply chain — and implement intrusion prevention measures accordingly.
  • Educate all company employees on security policies and contingency plans, including how to identify an attack and common forms of social engineering, and what to do when it happens.
  • Practice network segmentation and data categorization.

For individuals:

  • Create strong passwords for all online accounts and change them regularly.
  • Monitor accounts for unauthorized access and report any irregularities to related authorities immediately.
  • Be aware of different social engineering techniques attackers use to steal online credentials.
  • Enable two-factor authentication (2FA) on all online accounts whenever applicable.
biostar 2 data breach iot security awareness training business infosec gdpr phish tests

TrendMicro. (2019, August 15). Over 27.8M Records Exposed in BioStar 2 Data Breach.

  • 2