Forbes reports that a security company lost almost 28 million records, including loads of biometric data such as fingerprints and facial recognition data such as photos of users. It also had un-encrypted usernames and passwords, logs of facility access, and the individuals’ security levels and clearance!
This is why it is folly to create a honeypot with such irretrievable and sensitive information. Distributing biometrics in the phone and making them safely accessible using FIDO’s approach makes better sense for all, except for those few security situations where the individual’s access is so valuable that it would put that person’s life in jeopardy. Then you have an entirely different problem to deal with:
“It has been coming for some time, but now the major breach of a biometric database has actually been reported—facial recognition records, fingerprints, log data and personal information has all been found on “a publicly accessible database.” The damage is not yet clear, but the report claims that actual fingerprints and facial recognition records for millions of people have been exposed.
The issue with biometric data being stored in this way is that, unlike usernames and passwords, it cannot be changed. Once it’s compromised, it’s compromised. And for that reason this breach report will sound all kinds of alarms.
The report published by security researches Noam Rotem and Ran Locar at Vpnmentor relates to Suprema, a company describing itself as a “global Powerhouse in biometrics, security and identity solutions,” with a product range that “includes biometric access control systems, time and attendance solutions, fingerprint live scanners, mobile authentication solutions and embedded fingerprint modules.”
The news of the breach was first published by Wednesday’s Guardiannewspaper in the U.K., which highlighted the use of Suprema solutions by the “Metropolitan Police, defence contractors and banks.’ The breach, though, is international, with Suprema’s Biostar 2 biometric identity SDK integrated into the AEOS access control system ‘used by 5,700 organisations in 83 countries, including governments, banks and the police.’”
Overview by Tim Slone, VP, Payments Innovation at Mercator Advisory Group
