Privacy researchers at vpnmentor have uncovered a huge data breach in security platform Biostar 2, a centralised biometric access control system used by UK police forces and major banks.
Biostar 2 uses facial recognition and fingerprinting technology to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security apps, and record activity logs.
Vpnmentor says it was able to access over 27.8 million records, a total of 23 gigabytes of data, on a publicly accessible database
The data leaked includes detailed personal information of employees and unencrypted usernames and passwords as well as access to over 1 million fingerprint records, as well as facial recognition information.
Researchers at vpnmentor say the breach would enable hackers to gain complete access to admin accounts on Biostar 2, enabling them to change user accounts and create their own accounts. Furthermore, hackers can change the fingerprints of existing accounts to their own and hijack a user account to access restricted areas undetected.
Says the firm: "Hackers and other criminals could potentially create libraries of fingerprints to be used any time they want to enter somewhere without being detected."
Biostar 2 is built by Suprema, which recently partnered with Nedap to integrate the app into their AEOS access control system.
AEOS is used by over 5700 organizations in 83 countries, including some of the biggest multinational businesses, many small local businesses, governments, banks, and even the UK Metropolitan Police.
The researchers say they made multiple unsuccessful attempts to contact Suprema before taking the paper to the Guardian broadsheet late last week. Early Wednesday morning the vulnerability was closed.