top of page

Breach at a Biometric Security Firm

Writer's picture: SysArmySysArmy
"Biometric such as fingerprints could never be made private again once lost"

In a recent report, it was disclosed that an independent cybersecurity firm discovered that a biometric security firm, Suprema, which offers the tool Biostar 2 which is a web-based open and integrated security platform that provides comprehensive functionality for access control and time attendance, let their sensitive data exposed in the open somewhere on or around the 2nd week of August 2019.


Suprema's clients numbered by the thousands worldwide and it includes the UK's Metropolitan Police. The report did not explain how the data was exposed and how long it was accessible. The sensitive data includes fingerprint records, photographs, facial recognition data, names, addresses, passwords, employment history and records of when they had accessed secure areas.


The independent cybersecurity firm apparently managed to view data of the following which were exposed:

  1. Power World Gyms, a gym franchise in India and Sri Lanka - 113,796 user records including fingerprints

  2. Global Village, an annual festival in the United Arab Emirates -15,000 fingerprints

  3. Adecco Staffing, a Belgian human resources firm - 2,000 fingerprints

Biometric information such as fingerprints once exposed in a data breach could never be made private again once lost unlike passwords where you can still change it.   


This breach coincidentally happens immediately following the hack into the website of the UK Metropolitan Police in late July 2019 where hackers posted a series of bizarre messages and tweets were sent from the force's verified account, which has more than a million followers.


3 years ago, the Office of Personnel Management of the US government disclosed that hackers stole fingerprints of 5.6 million federal employees who were in the process of applying for or receiving security clearances. 


Are these 2 events related somehow? or it is perpetrated by the same group of hackers or different groups?

Comentários


bottom of page