Vpnmentor privacy researchers have discovered a large data breach on the Biostar 2 security platform, a centralized biometric access control system used by the UK police forces and major banks.
Biostar 2 uses facial recognition and fingerprint technology to control access to secure areas of the facilities, manage user permissions, integrate with third-party security applications and record activity logs.
Vpnmentor says it was able to access more than 27.8 million records, a total of 23 gigabytes of data, in a publicly accessible database
The filtered data includes detailed personal information of employees and unencrypted usernames and passwords, as well as access to more than 1 million fingerprint records, as well as facial recognition information.
Vpnmentor investigators say the violation would allow hackers to gain full access to administrator accounts in Biostar 2, which will allow them to change user accounts and create their own accounts. In addition, hackers can change the fingerprints of existing accounts to their own and hijack a user account to access restricted areas without being detected.
The firm says: "Hackers and other criminals could create fingerprint libraries to use at any time they want to enter somewhere without being detected."
Biostar 2 is built by Suprema, which recently partnered with Nedap to integrate the application into its AEOS access control system.
AEOS is used by more than 5700 organizations in 83 countries, including some of the largest multinational companies, many small local businesses, governments, banks and even the United Kingdom Metropolitan Police.
Investigators say they made several failed attempts to contact Suprema before taking the newspaper to the Guardian sheet late last week. The dawn of Wednesday the vulnerability was closed.
Editorial | What does this mean?
This content has been selected, created and edited by the Finextra editorial team based on its relevance and interest to our community.