September 23, 2019

September 20, 2019

Subscribe to Latest Legal News and Analysis

Security Researchers Find Biometric Data on 28 Million Records Is Exposed

It was reported this week by The Guardian and Forbes that security researchers from Vpnmentor have discovered and published a report that Suprema, a company that collects and monitors biometric information such as fingerprints and facial recognition data, has left exposed the biometric information of 28 million records and 23 gigabytes of data insecure.

Suprema services police departments, banks and defense contractors, and provides identity and time and attendance solutions, fingerprint scanners, and mobile authentication tools for employers. According to The Guardian, the system involved is Suprema’s Biostar 2 biometric identity solution, which “is used by 5,700 organisations in 83 countries, including governments, banks and the police.”

According to the researchers, highly sensitive biometric data and administrative usernames and passwords were left unencrypted. The researchers found plain-text passwords of administrator accounts and they were “able to change data and add new users.” The ability to add new users or manipulate the integrity of the data is frightening. The theft of biometric information also is frightening because we only have one set of fingerprints and one face. The researchers stated “they are saving people’s actual fingerprints that can be copied for malicious purposes.”

Suprema says it has shut down the vulnerability and is investigating the report. The information that was reported exposed includes “fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.”

Copyright © 2019 Robinson & Cole LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence
Partner

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...

401-709-3353