A web privacy research group, vpnMentor has discovered a security loophole in the biometric database of a security platform BioStar 2, which is built by one of the world’s top security manufacturers called Suprema.
South Korea-based BioStar 2 is a web-based biometric security smart lock platform, which allows admins to control access to secure areas of facilities, manage user permissions, integrate with third party security apps, and record activity logs. As part of its functionalities, BioStar 2 uses facial recognition and fingerprinting technology to identify users.
The software is said to be used by over 5.7K organisations in 83 countries, after the BioStar’s recent integration into Nedap’s AEOS access control system.
According to the researcher, the range of businesses affected by the leak varied widely in size, location, industry, and users. Some of the businesses whose information they were able to access and view worldwide also included, a gym chain spread across India and Sri Lanka — Power World Gyms. Over 113K user records and fingerprints were found vulnerable from this gym chain’s database.
Talking about the consequence of such a data breach, vpnMentor’s team said in a blog, “Malicious agents could use this to hack into secure facilities and manipulate their security protocols for criminal activities.”
“Our team was able to access over 1 Mn fingerprint records, as well as facial recognition information. Combined with the personal details, usernames, and passwords, the potential for criminal activity and fraud is massive,” they added.
The group also noted that once stolen, fingerprint and facial recognition information cannot be retrieved. An individual will potentially be affected for the rest of their lives, according to vpnMentors.
BioStar 2 has reportedly closed the loophole on August 13, almost a week after the discovery of the breach by vpnMentor on August 5.
Data Breach Cases In India
Such cases of data breach have become a recurring affair in India. India was reported as the second most cyber attacks affected country between 2016 to 2018. The average cost for a data breach in India has risen 7.9% since 2017, with the average cost per breached record mounting to INR 4,552 ($64).
Just last week, vpnMentor has detected data breach cases in two fintech startups from India — Chqbook and CreditFair. While Chqbook had closed the loophole under 48 hours, Credit Fair database was still vulnerable as of July 31.
Prior to this, Truecaller had encountered a serious bug which led to automatic creation of UPI accounts for its users. However, the company later disabled the new update which had triggered this bug.
Also in April, two subsequent privacy loopholes were discovered in the hyperlocal search engine Justdial. This data breach was said to have exposed sensitive data of over 100 Mn Indian users.
With the increasing number of data breaches in the country, the Indian government has been taking some steps at a policy level. In July, a high-level panel headed by Justice B.N Srikrishna submitted its recommendations and the draft Personal Data Protection Bill 2018 to IT minister Ravi Shankar Prasad.