‘Huge data breach’ in security platform used by police

Written by Sam Trendall on 15 August 2019 in News

Biostar 2 data leak compromises millions of sensitive data records but UK public sector users yet to detect any ill effects 

Credit: PXhere

An IT security platform used by a wide range of public sector customers across Europe has suffered a “huge data breach” affecting tens of millions of sensitive data records, researchers have found.

The Biostar 2 app from Suprema offers visitor control functions – including the use of facial recognition and fingerprinting. The technology is integrated into the AEOS access-control platform from Nedap – which is used by a range of big businesses and public sector institutions across Europe. High-profile UK customers include the Metropolitan Police Service.

An investigation by a team of experts from IT security review site vpnMentor – led by independent internet privacy researchers Noam Rotem and Ran Locar – found that Biostar 2 has suffered a data breach that could affect “millions of users”.

Earlier this month, the research team that discovered the breach found that they were able to access 27.8 million records via a publicly available database. This information included more than one million fingerprint records, as well as facial recognition data.

“Once stolen, fingerprint and facial recognition information cannot be retrieved,” said the vpnMentor report. “An individual will potentially be affected for the rest of their lives.”

A wide range of other sensitive data was also affected by the breach, the report found, including passwords, user names, and location entry and exit data. Employee information – including home and email addresses – were also leaked.

Moreover, the research team found that, upon being informed of the security alert, Biostar 2 were “generally very uncooperative throughout this process”. 

The issues were first discovered on 5 August and then reported to the vendor on 7 August, vpnMentor said. But action was not taken to close the breach until 13 August, the site claimed.

This reportedly only took place after numerous unanswered emails and a phone call in which a German employee told the investigation team that “we don’t speak to vpnMentor”.

Andy Ahn, head of marketing at Biostar 2’s publisher Suprema, told the Guardian that “in-depth evaluation” of the findings of the report is now taking place.

“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” he said.

UK customers
Several UK businesses were named among the organisations around the world whose information was compromised as part of the breach. But the scale of the impact is not yet known.

“Maybe the biggest concern in this leak is its size,” vpnMentor said. “BioStar 2’s users are spread around the world, with potential future users including governments, banks, universities, defence contractors, police, and multinational businesses. The platform has over 1.5 million worldwide installations, and all of these could be vulnerable to this leak. The total number of people affected could be in the tens of millions.”

The Metropolitan Police Service is yet to determine whether it was impacted.

A spokesperson said: “We are working to establish whether any MPS systems are affected by this incident.”

Another UK public sector user of the AEOS system is the University of Nottingham. The institution indicated to PublicTechnology that it does not use a biometric system and has in no way been affected by the breach.

“There are no reported issues,” a spokesperson said. “While we use AEOS technology for card access, we do not use biometric applications.”

Click here to read the full vpnMentor report

About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

How secure is government and should we have a right to know?
8 July 2020

In a lengthy attempt to find out about the security of government’s software systems, PublicTechnology finds a very uneven approach to transparency and what constitutes sensitive...

How Brexit Britain could become a surveillance state
8 July 2020

The UK has tended to only introduce data-protection laws in conjunction with EU legislation and, according to Ray Walsh from ProPrivacy, the post-Brexit world may see the country prioritise...

How big is the UK’s cyber skills gap?
7 July 2020

A major government-commissioned study found that about half of UK organisations are lacking basic security skills. PublicTechnology talks to the researchers behind it to find out where...

Welcome to Cyber Week
6 July 2020

Introducing a dedicated week of features, interviews and exclusive research

Related Sponsored Articles

Interview: CyberArk EMEA chief on how government has become a security leader
29 May 2020

PublicTechnology talks to Rich Turner about why organisations need to adopt a ‘risk-based approach’ to security – but first make sure they get the basics right