A new security lapse in the BioStar 2 security platform has exposed 27.8 million records, including the fingerprint data of a 1 million people. That information puts those affected at a high risk for identity theft. Read on for this week’s data privacy recap.
Flaw exposes biometric data of more than a million users
Another breach has been discovered by researchers Noam Rotem and Ran Locar alongside the vpnMentor team. The leaked information includes fingerprint data of more than 1 million people, facial recognition information, unencrypted usernames and passwords, and other personal information of users of Suprema’s BioStar 2 security platform. In total, all of the information totalled roughly 27.8 million records (23 gigabytes of data). So far, we only know that the information was publicly available, but not that it’s been stolen or used for nefarious purposes specifically. The information included usernames and passwords, it could allow would-be hackers to create or modify user credentials, allowing them access to any building secured using BioStar 2. BioStar 2 is a security system, which is used to control facilities in the USA, Japan, UK, the UAE, and India. Employees working for BioStar’s parent company Suprema could also be vulnerable. Unfortunately the leaked information is perfect fodder for identity fraud.
SEC investigating breach at First American Financial Corp
The Security and Exchange Commission (SEC) announced an investigation this week into a breach of First American Financial Corp. If you’re not familiar, it’s a real estate title insurance company with a massive database of information. Via this loophole, more than 885 million personal and financial records have been exposed. These records are tied to mortgage deals specifically, and they go as far back as 2003. This news broke in May of this year via the popular security blog, KrebsOnSecurity, but the SEC is now investigating the repercussions. The data included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers license images. And the first person to notify the press was Ben Shoval, a Seattle real estate developer who received a letter from the SEC. “This investigation is a non-public, fact-finding inquiry,” the letter explained. “The investigation does not mean that we have concluded that anyone has violated the law.”
European Central Bank investigating breach
In yet another breach announcement, the European Central Bank (ECB) announced a security lapse this week. Unauthorized people who may have stolen private information including contact data.These hackers installed malware onto an external server that hosts the Banks’ Integrated Reporting Dictionary, or BIRD. Addresses, names and position titles of 481 newsletter subscribers may have been captured. Fortunately, passwords were not among the leaked information set. While they investigate the matter, ECB is contacting people whose data may have been stolen, and they’ve taken down their website. “The ECB takes data security extremely seriously,” the institution said. It has informed the European Data Protection Supervisor about the incident.
Newly-discovered Bluetooth vulnerability could expose devices
This next article doesn’t recap a data breach exactly, but rather it’s a warning for potential breaches to come. A group of researchers presented their paper at the USENIX Security Symposium this week alerting the public to a Bluetooth security flaw. They named the vulnerability the KNOB attack, short for “Key Negotiation Of Bluetooth.” As we’ve written about before, Bluetooth technology can sometimes put users at risk. Instead of directly breaking an encryption, a newly discovered flaw allows hackers to force a pair of Bluetooth devices to use weaker encryption in the first place. When two devices connect using a Bluetooth link, a new encryption key is created. Hackers can intercept that process with a weak key, which then allows them to gain access. Fortunately, this hack is very complicated to execute, so it shouldn’t be a major concern for Bluetooth users. There are no known cases of users being preyed upon in this way yet, but it’s certainly a hole that needs to be filled.
What do you think was the most important data story of the week? Leave us a comment below.
Stay in-the-know with the top data news brought to you by BIGtoken at the start of every week.