Biometric Data Breach Worries Senate Intelligence Committee
Roughly two months ago, security researchers discovered a huge data breach that riddled a web-based biometric security smart lock platform called BioStar 2 used by administrators to control access and manage permissions.
Suprema, a large Seoul, Korea-based security solutions provider and one of the world’s top 50 security manufacturers, makes Biostar2 and maintains a database holding nearly 28 million user records. (Note: Earlier this month, Suprema opened a U.S. sales office for its lineup of resellers, system integrators and distributors.)
In the breach, cyber crooks gained access to more than a million fingerprints and other sensitive data, including photographs of people, facial recognition data, names, addresses and passwords, according to vpnMentor’s researchers, who found the breach.
“This is a huge leak that endangers both the businesses and organizations involved, as well as their employees,” vpnMentor said in a blog post at the time. “Once stolen, fingerprint and facial recognition information cannot be retrieved. An individual will potentially be affected for the rest of their lives.”
The August break-in was the second such leak of sensitive biometric data, the first of which occurred in June and affected U.S. Customs and Border Protection (CBP). That one has drawn the attention of Senator Mark Warner (D-VA), the top Democrat on the Senate Intelligence Committee. Warner wants answers about the cyberattack on a third-party contractor to CBP, in which the hackers pilfered 100,000 images of travelers and other sensitive data. According to CBP officials, the contractor apparently transferred the images to its servers without authorization but claimed that no identifying information was involved.
In a letter to acting CBP Commissioner Mark Morgan, Warner wrote, “It is absolutely critical that federal agencies and industry improve their track records, especially when handling and processing biometric data. Americans deserve to have their sensitive data secured, regardless of whether it is being handled by a first or a third-party.” (via The Hill)
In a separate letter, Warner wanted more information from Suprema CEO James Lee about the August cyberattack, including the names of its U.S. clients and the company’s cybersecurity standards for biometric data it houses. Suprema’s biometric data security systems are used by about 5,700 companies in 83 countries, including banks and foreign law enforcement groups, vpnMentor reported. More than one billion people use Suprema’s technology in some 1.5 million installations, according to the company’s website. All of the installations are potentially vulnerable, the vpnMentor report said.
Biometric technology has gained the interest of users, a recent IBM Security study found. Of the nearly 4,000 adults participating in a survey, 67 percent said they’re comfortable using biometrics, and 87 percent would consider using different types of biometric authentication in the future. However, 55 percent indicated privacy is their biggest biometrics concern, and 50 percent stated they are worried about security.