BioStar 2 biometric security platform breach includes over 1 million fingerprint records

Written 10 months ago by IanDorfman

The team at vpnMentor has released a report detailing a data breach in the BioStar 2 biometric security smart lock platform. As it has been integrated into the popular AEOS access control system, this breach potentially impacts the 5,700 organizations in 83 countries using this system. This includes institutions such as the United Kingdom Metropolitan Police, as it can be used for a variety of administrative purposes across a wide variety of businesses and organizations.

According to vpnMentor's report, the data that was included in the breach contains unencrypted usernames and passwords, personal information on many employees, and the ability to access accounts and permissions in any facility that utilizes BioStar 2. In effect, this allow criminal activity via the manipulation of security protocols in what would otherwise be secure facilities.

The vpnMentor team was able to access 23 gigabytes of the following data:

• Access to client admin panels, dashboards, back end controls, and permissions
• Fingerprint data
• Facial recognition information and images of users
• Unencrypted usernames, passwords, and user IDs
• Records of entry and exit to secure areas
• Employee records including start dates
• Employee security levels and clearances
• Personal details, including employee home address and emails
• Businesses' employee structures and hierarchies
• Mobile device and OS information

In all, nearly 28 million records of this information was accessible. The information (including passwords) was not secured, with some passwords being as simple as the word "Password."

Following its discovery on August 5th, the vpnMentor team had attempted to alert BioStar of this breach starting on August 7th, but was met with hostility and a lack of cooperation until speaking with the company's French branch. The breach was then closed on August 13th.

Further coverage:
vpnMentor