Biometrics of one million people discovered on publicly accessible database

Biostar 2 database, used for access control by police, defence contractors and banks, found online unprotected and unencrypted

A biometrics database used by the police, banks and defence contractors has been discovered online unprotected, with the fingerprints and facial recognition scans unencrypted.

Furthermore, the Biostar 2 database - used as part of security systems for warehouses and offices - also contained user names, passwords and other personal information. And the database was so exposed that data could easily be manipulated, and new accounts with corresponding biometrics added

The unprotected database was discovered by Israeli security researchers and ‘hacktivists' Noam Rotem and Ran Locar, who run the VPNMentor service, which tests VPNs for speed, security, support and other features, and lists only legitimate and secure VPNs.

The database was discovered by Rotem and Locar in a routine scan last week. They found that not only was the Biostar 2 database unprotected, but that its sensitive contents were largely unencrypted. "We were able to find plain-text passwords of administrator accounts," Rotem told The Guardian.

They were able to search the database using the Elasticsearch, simply by manipulating the URL search critieria.

The researchers told The Guardian that they were able to access more than 27.8 million records and data amounting to 23GB. The information included dashboards, fingerprint data, facial recognition data, access logs, security levels and clearance and even unencrypted user names and passwords, and the personal details of staff.

Furthermore, the data was being updated in real-time, enabling Rotem and Locar to see who was accessing which part of the buildings where they worked.

Worse still, perhaps, the researchers claim that the company behind the Biostar 2 database were "generally very uncooperative". In a blog, they claimed: "Our team made numerous attempts to contact the company over email, to no avail. Eventually, we decided to reach out to Biostar 2's offices by phone. Again, the company was largely unresponsive.

"Upon speaking to a member of their German team, we received a mumbled reply that "we don't speak to vpnMentor", before the phone was suddenly hung up. This suggests they were aware of us, and our attempts to resolve the issue. We also tried to contact Biostar 2's GDPR compliance officer but received no reply.

"Eventually, after speaking to the more cooperative French branch over the phone, steps were taken by the company to close the breach."

Furthermore, claim Rotem and Locar, the company stored the facial recognition scans and fingerprints as well - not just hashes of the data - enabling the biometrics to be stolen and used for nefarious purposes. Administrator access means that data within the database could also be manipulated.

"Facial recognition and fingerprint information cannot be changed. Once they are stolen, it can't be undone. The unsecured manner in which Biostar 2 stores this information is worrying, considering its importance, and the fact that Biostar 2 is built by a security company.

"Instead of saving a hash of the fingerprint (that can't be reverse-engineered) they are saving people's actual fingerprints that can be copied for malicious purposes.

"Putting all the data found in the leak together, criminals of all kinds could use this information for varied illegal and dangerous activities."

In addition, because the database was so wide open, attackers could have changed user permissions, created new accounts with the appropriate facial and fingerprint scans and so on. In other words, the Biostar 2 security database is effectively compromised.

In the UK, organisations affected included Phoenix Medical, a provider of traditional Chinese medicine, and retailer Tile Mountain. The Biostar 2 platform has more than 1.5 million installations worldwide.

The attitude of the company's staff upon being informed of the security flaws will almost certainly invite a heavy punishment from the appropriate data protection authority. In the UK in the first fines proposed by the Information Commissioner's Office (ICO) under GDPR, British Airways is facing a £183 million fine and Marriott a £99 million fine. The ICO is still mulling over the Ticketmaster breach from 2018.