What do you do when your biometrics data gets stolen?
A major breach in Security company Suprema used by UK security agencies & banks raises concerns
Data breaches have already soared 54% in 2019 — with more than 3800 attacks hitting organizations, according to a report published by Risk-based Security — a data breach & risk rating agency. It points to the extreme risk of placing sensitive data in the hands of third-party vendors as the main cause. 89% of breaches involved external parties legitimizing this claim. Another interesting statistic was that 149 of the total 3,813 incidents resulted from misconfigured databases and services exposing 3.2 billion records.
The mounting severity of these massive data breaches was discussed in my earlier piece about 13 Cybers Security Unicorns— one involving a cyberattack on Bulgaria’s tax agency where data of most adults in the country of 7 million people was stolen. And in another one, Russia’s Secret Intelligence Agency FSB being hacked with a bounty of 7.5 terabytes of data from a major contractor.
If your passwords get stolen or compromised, you can always change them, but what would you do when something like your biometrics gets stolen. One can’t really expect to change the fingerprints or the retina scan! This is the conundrum being faced by the banks & UK security agencies. As reported by The Guardian, fingerprints, facial recognition information, unencrypted usernames and passwords, and personal information of employees of businesses were found on a publicly accessible database.
Apparently, Suprema — a company that provides biometrics, security & identity solutions to the likes of UK Metropolitan police, defense contractors and banks via its Biostar 2 biometrics lock system had this vulnerability. Last week, two Israeli security researchers Noam Rotem and Ran Locar found out that Biostar 2’s database was unprotected and mostly unencrypted.
By manipulating the URL search criteria the researchers were able to gain access to over 27.8 million records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprints, facial recognition data, unencrypted usernames and passwords, security clearance levels & personal information on the staff. The paper published states that the researchers were also able to add & edit current user accounts to manipulate the identity markers and gain access to whatever the current users are authorized to access.
This is extremely disconcerting since the Suprema is a multinational company that has 1.5 million service locations in more than 140 countries. Although the vulnerability has been patched ever since the publishing of this report, the company has still not come out with an explanation, which is the other worrisome part. Companies don’t seem to be following any moral or ethical code when it comes to protecting users' data.
They only come forward when they are exposed. Case in point, the human review of the audio recordings by the Big techs. Most of them only came forward when either the regulators started to review their process, or when some whistleblower blew off their cover. Only in this case, someone else has your unique identity markers and there is nothing you can do to fix it.
The only solution perhaps then is to employ a service that offers a security solution that combines the conventional passwords with biometrics. 2-factor authentication is another good example. Relying simply on technology is not the answer.