‘Huge data breach’ in security platform used by police

Written by Sam Trendall on 15 August 2019 in News

Biostar 2 data leak compromises millions of sensitive data records but UK public sector users yet to detect any ill effects 

Credit: PXhere

An IT security platform used by a wide range of public sector customers across Europe has suffered a “huge data breach” affecting tens of millions of sensitive data records, researchers have found.

The Biostar 2 app from Suprema offers visitor control functions – including the use of facial recognition and fingerprinting. The technology is integrated into the AEOS access-control platform from Nedap – which is used by a range of big businesses and public sector institutions across Europe. High-profile UK customers include the Metropolitan Police Service.

An investigation by a team of experts from IT security review site vpnMentor – led by independent internet privacy researchers Noam Rotem and Ran Locar – found that Biostar 2 has suffered a data breach that could affect “millions of users”.

Earlier this month, the research team that discovered the breach found that they were able to access 27.8 million records via a publicly available database. This information included more than one million fingerprint records, as well as facial recognition data.

“Once stolen, fingerprint and facial recognition information cannot be retrieved,” said the vpnMentor report. “An individual will potentially be affected for the rest of their lives.”

A wide range of other sensitive data was also affected by the breach, the report found, including passwords, user names, and location entry and exit data. Employee information – including home and email addresses – were also leaked.

Moreover, the research team found that, upon being informed of the security alert, Biostar 2 were “generally very uncooperative throughout this process”. 

The issues were first discovered on 5 August and then reported to the vendor on 7 August, vpnMentor said. But action was not taken to close the breach until 13 August, the site claimed.

This reportedly only took place after numerous unanswered emails and a phone call in which a German employee told the investigation team that “we don’t speak to vpnMentor”.

Andy Ahn, head of marketing at Biostar 2’s publisher Suprema, told the Guardian that “in-depth evaluation” of the findings of the report is now taking place.

“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” he said.

UK customers
Several UK businesses were named among the organisations around the world whose information was compromised as part of the breach. But the scale of the impact is not yet known.

“Maybe the biggest concern in this leak is its size,” vpnMentor said. “BioStar 2’s users are spread around the world, with potential future users including governments, banks, universities, defence contractors, police, and multinational businesses. The platform has over 1.5 million worldwide installations, and all of these could be vulnerable to this leak. The total number of people affected could be in the tens of millions.”

The Metropolitan Police Service is yet to determine whether it was impacted.

A spokesperson said: “We are working to establish whether any MPS systems are affected by this incident.”

Another UK public sector user of the AEOS system is the University of Nottingham. The institution indicated to PublicTechnology that it does not use a biometric system and has in no way been affected by the breach.

“There are no reported issues,” a spokesperson said. “While we use AEOS technology for card access, we do not use biometric applications.”

Click here to read the full vpnMentor report

About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

‘Nasty and sophisticated cybercriminals’ stole £1.1m destined for Bedford school
16 August 2022

Luton Borough Council and regional local enterprise partnership were victims of fraudsters

Met Police claims series of Oxford Circus arrests in facial-recognition deployment
20 July 2022

London force claims success from use of controversial technology, which was accompanied by public information effort – as well as protestors

Police investigated 4,300 cyber offences last year – but charged fewer than 100 criminals
12 August 2022

The proportion of offences resulting in a formal charge increased slightly, but remains at barely more than one in every 50

Critics turn up the heat on Scotland’s schools partnership with China
11 August 2022

Education secretary’s defence of Confucius hubs branded ‘unbelievably naive and frankly dangerous'