Over 27.8M Records Exposed in BioStar 2 Data Breach

About 23 GB worth of data consisting of 27.8 million sensitive biometric records was found exposed in a massive data breach involving biometric security platform BioStar 2. This is according to researchers from VPNMentor, who saw substantial portions of BioStar 2’s database left unprotected and unencrypted or insufficiently secured. The Suprema-owned BioStar 2 platform provides thousands of companies with biometrics security in order to restrict access to offices, buildings, and other private areas.

[READ: Data Breaches 101: How They Happen, What Gets Stolen, and Where It All Goes]

BioStar 2 has recently been integrated with Nedap’s AEOS physical access control system, a security suite that connects physical locks, biometric readers, and other devices to keep buildings secure. The AEOS system is currently being used by over 5,700 organizations worldwide. With BioStar 2’s data leak, the sensitive biometric information of these organizations, including government units, financial companies, and even the UK’s Metropolitan Police, may have been compromised.

Sensitive information leaked in this data breach include 1 million fingerprints as well as facial recognition data and images. Access to dashboards and backend controls, usernames and passwords, and employee records were also uncovered. A recorded list of those who entered and left secured areas was also exposed.

The researchers also noted that they were able to easily access the accounts associated with this leak, as many of the accounts had default or easily decipherable passwords. Those with more complex passwords were also accessed because they were all saved as plain text to the database.

How to prevent or mitigate data breaches

Unprotected and unsecured databases are sure-fire entry points for cybercriminals who want to get hold of an organization’s sensitive data. Managed detection and response (MDR) services can help companies ensure that security gaps are bridged and that data breaches are mitigated or responded to. With round-the-clock security professionals correlating and analyzing threat intelligence, fielding and prioritizing alerts, and investigating and hunting threats, organizations can make the most out of their security solutions. MDR provides organizations with security capabilities that can help them anticipate and thwart known (or unknown) threats and, in the event of a compromise, remediate the incident faster.

Enterprises are under increasing pressure to protect data. They can face client backlash, severe financial hits, and regulatory compliance fines if they do not properly secure the data they collect. There are many ways an organization can be breached — from compromised third-party suppliers to vulnerable tools and applications. Other factors can also expose systems to a data breach, from misconfiguration and patch lags, to unsecure software or system components.

Organizations and users can also implement some of these best practices to secure data.

For enterprises:

  • Identify the weak spots in your organization’s security infrastructure — including your supply chain — and implement intrusion prevention measures accordingly.
  • Educate all company employees on security policies and contingency plans, including how to identify an attack and common forms of social engineering, and what to do when it happens.
  • Practice network segmentation and data categorization.

For individuals:

  • Create strong passwords for all online accounts and change them regularly.
  • Monitor accounts for unauthorized access and report any irregularities to related authorities immediately.
  • Be aware of different social engineering techniques attackers use to steal online credentials.
  • Enable two-factor authentication (2FA) on all online accounts whenever applicable.




Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Online Privacy