August 14, 2019

Israeli security researchers have discovered an unprotected online database holding the fingerprints of over a million people, as well as facial recognition data, employee information, and unencrypted usernames and passwords.

The database is connected to Biostar 2, a security system used by the Metropolitan Police, big banks, and defence contractors.

Biostar 2 uses biometrics to enable centralised access control to secure facilities like warehouses or office buildings. Fingerprint and facial recognition techniques are used to confirm identity and authorisation.

Suprema, that company that makes the system, announced last month that Biostar 2 would be integrated into another access control system called AEOS – which is used by 5,700 organisations across 83 countries, including governments, financial institutions, and the Met.

Researchers Noam Rotem and Ran Loca worked with VPN vendor vpnmentor to scan ports for common IP addresses, then used them to find vulnerabilities in company systems.

They found Biostar 2’s database unprotected and mainly unencrypted. They could search it by changing URL search criteria in the Elasticsearch coding search engine, gaining access to 23 gigabytes-worth of data.

Across 27.8m records they saw admin panels, logs of facility access, photos of users faces, unencrypted usernames and passwords, and personal details of staff including security levels and clearance.

You can’t reset your fingerprint

Among the organisations visible on the database were a UK medicines supplier, co-working businesses in the US and Indonesia, a chain of fitness centres India and Pakistan, and a car park developer in Finland.

The scale of the breach is alarming. Biostar 2 is installed in 1.5m locations across the world and, unlike when passwords are breached, biometrics can’t simply be updated.

The potential for mis-use of biometrics data for fraud, identify theft, and ‘traditional’ thieving are enormous. Sadly too many organisations fail to protect access to their internet-connected databases and systems.

Along the Biostar 2 discovery, earlier this year an email marketing firm left 809 million email addresses and passwords unprotected in a cloud database.

The Marriott Starwood hotel chain suffered one of the biggest cloud breaches in history last year when hackers worked out an easily-guessed password for Starwood’s ServiceNow cloud computing platform. It was possible to access guest financial records, IT security controls, and personal information including passport numbers.

Popular app Timehop revealed a security breach of its cloud database that exposed names and emails of its entire user base – 21 million people.

Along with straightforward theft of biometric data, Hacking internet-connected systems can also enable supply chain attacks, sneaking malware into locally-stored files that will be automatically uploaded to the cloud.

The human factor

The absurdity of leaving systems designed to improve security unprotected won’t be lost on cyber experts. Even after all the investments companies make to improve defences and eliminate technical exploits, human error still opens the door to hacks.

  • According to the Ponemon Institute, security breaches caused by employees and contractors cost the average business as much as £6.9 million per year — more than twice the average cost of other breaches.
  • IBM says people-borne ‘insider threats’ account for 60 per cent of cyber attacks.
  • Freedom of Information requests sent to the ICO show that employee error caused nearly half of all breach incidents reported over the last three years.

With their access to systems and facilities, insiders have the power to leak intellectual property, and expose sensitive information to third parties.

This can happen maliciously, or as happens in most cases – as a by-product of carelessness: sharing passwords, clicking questionable email links, leaving USB sticks lying around, or deciding it’s OK to leave fingerprint and facial recognition databases un-encrypted.

Better training is key to tackling the human factor, both to make staff aware of their own actions, and to sensitise them to signs of adverse behaviour in others.

– Watch our hilarious security awareness training –

Secure systems by empowering your people

What’s seems to be common in all these breaches isn’t bad security, but bad decisions. Weak passwords, encryption switched off, simple password/userid requirements, or a complete failure to protect user databases at all.

In the end, storing sensitive data in connected systems is as safe as people allow it to be. There is a human element in cyber that can either make cyber defences weaker – or stronger.

At home or at work, the strength of cybersecurity often depends on how empowered people are in terms if their security awareness. If employees can be trained to understand the weaknesses in cloud security, and sustain their level of awareness, the risk of cloud breach can be reduced.

Harvard Business Review has said that better training is the best cyber security investment a business can make. In the cloud or in the office, empowering your people is the best way to minimise cybersecurity risk.

Want to learn more about empowering employees with security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: