‘Huge data breach’ in security platform used by police

Written by Sam Trendall on 15 August 2019 in News

Biostar 2 data leak compromises millions of sensitive data records but UK public sector users yet to detect any ill effects 

Credit: PXhere

An IT security platform used by a wide range of public sector customers across Europe has suffered a “huge data breach” affecting tens of millions of sensitive data records, researchers have found.

The Biostar 2 app from Suprema offers visitor control functions – including the use of facial recognition and fingerprinting. The technology is integrated into the AEOS access-control platform from Nedap – which is used by a range of big businesses and public sector institutions across Europe. High-profile UK customers include the Metropolitan Police Service.

An investigation by a team of experts from IT security review site vpnMentor – led by independent internet privacy researchers Noam Rotem and Ran Locar – found that Biostar 2 has suffered a data breach that could affect “millions of users”.

Earlier this month, the research team that discovered the breach found that they were able to access 27.8 million records via a publicly available database. This information included more than one million fingerprint records, as well as facial recognition data.

“Once stolen, fingerprint and facial recognition information cannot be retrieved,” said the vpnMentor report. “An individual will potentially be affected for the rest of their lives.”

A wide range of other sensitive data was also affected by the breach, the report found, including passwords, user names, and location entry and exit data. Employee information – including home and email addresses – were also leaked.

Moreover, the research team found that, upon being informed of the security alert, Biostar 2 were “generally very uncooperative throughout this process”. 

The issues were first discovered on 5 August and then reported to the vendor on 7 August, vpnMentor said. But action was not taken to close the breach until 13 August, the site claimed.

This reportedly only took place after numerous unanswered emails and a phone call in which a German employee told the investigation team that “we don’t speak to vpnMentor”.

Andy Ahn, head of marketing at Biostar 2’s publisher Suprema, told the Guardian that “in-depth evaluation” of the findings of the report is now taking place.

“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” he said.

UK customers
Several UK businesses were named among the organisations around the world whose information was compromised as part of the breach. But the scale of the impact is not yet known.

“Maybe the biggest concern in this leak is its size,” vpnMentor said. “BioStar 2’s users are spread around the world, with potential future users including governments, banks, universities, defence contractors, police, and multinational businesses. The platform has over 1.5 million worldwide installations, and all of these could be vulnerable to this leak. The total number of people affected could be in the tens of millions.”

The Metropolitan Police Service is yet to determine whether it was impacted.

A spokesperson said: “We are working to establish whether any MPS systems are affected by this incident.”

Another UK public sector user of the AEOS system is the University of Nottingham. The institution indicated to PublicTechnology that it does not use a biometric system and has in no way been affected by the breach.

“There are no reported issues,” a spokesperson said. “While we use AEOS technology for card access, we do not use biometric applications.”

Click here to read the full vpnMentor report

About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

ICO urges Capita customers to ‘check their position’ after 90 organisations report data breaches
31 May 2023

Technology services firm has revealed two data-compromising incidents in recent week


Digital Leaders’ Download: Ex-HMPPS leader Farrar on how technology was crucial in helping prisons’ pandemic response
31 May 2023

In the first of a series of interviews with government’s biggest figures, PublicTechnology and CDDO caught up with  Jo Farrar to discuss exploring virtual reality and AI, and why it’...

MoJ reprimanded by ICO after ‘bags of confidential documents’ exposed for over two weeks
25 May 2023

Sensitive data was left unsecured in prison holding area, according to data watchdog

MoD seeks senior exec to boost ‘cyber awareness, behaviours and culture’ across defence sector
23 May 2023

Role comes with a remit to work with current and former military personnel, as well as officials and commercial suppliers

Related Sponsored Articles

Proactive defence: A new take on cyber security
16 May 2023

The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...