A huge database of biometric information on more than a million people, was just sitting on the internet, unprotected, for anyone to see - as long as they knew where to look. Luckily for everyone whose data was found - it was the security researchers who seem to have found the gaping hole first.
They notified the database’s owners who have, in the meantime, patched things up.
Israeli security researchers Noam Rotem and Ran Locar, together with vpnmentor, a service that reviews virtual private network services, were scanning ports in search of familiar IP blocks. They would then use the blocks to find flaws in corporate systems which could potentially lead to a data breach.
In one such excursion, they came across the database belonging to Biostar 2, which was “unprotected and mostly unencrypted”.
The database held 27.8 million records, as well as 23 gigs worth of data which included admin panels, dashboards, fingerprint data, facial recognition data, user photos, usernames and passwords, facility access logs, security levels, clearance, as well as staff personal details.
Biostar 2 is, among other things, part of the supply chain for the UK Metropolitan police, through a security company called Suprema.
It was said that the database wasn’t just read-only. Whoever had access, could also change the information found there. You could change a person’s fingerprint or photo.
Even though Suprema is yet to comment on the findings, the hole was plugged on Wednesday morning.
The only thing that the company said, through its head of marketing, Andy Ahn, is that it will analyse the situation. Talking to The Guardian, Ahn said: “If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets.”