Fingerprints, facial recognition and other personal information were discovered in a publicly accessible database.

In August 2019, the fingerprints of more than 1 million people were exposed, as well as facial recognition information, unencrypted usernames and passwords and personal information of employees, within a database used by agents of police, defense contractors and UK banks.

The security company called “Suprema”, responsible for the web-based biometric recognition system, allowed to have centralized control for access to secure facilities, warehouses or office buildings using the “BioStar 2” software that uses fingerprints and recognition Facial as part of his methods to identify people trying to access these buildings, he put millions of people at risk.

The "BioStar2" software is used by 5,700 organizations such as banks, police and government among many others, throughout 83 countries in the United Kingdom.

In a search to find holes in the systems of companies that could potentially lead to data breaches, Israeli researchers Noam Rotem and Ran Locar, found that the “BioStar2” databases were totally unprotected and unencrypted, which gave access to 27.8 million records and 23 Gigabytes of free data, including administration panels, user facial photos, user names and passwords, security and authorization levels and facial recognition data, without any encryption.

This means that they could easily edit the accounts of existing users and add their own fingerprints to be able to access any building that has this software.

In a statement sent to "The Guardian" talking about this discovery, the researchers said they were able to access data from joint work organizations in the US. UU. and Indonesia.

The magnitude of this violation is alarming because the “Suprema” service has 1.5 million locations worldwide and, unlike other violations, it can change the fingerprint that is unique to each user.

"Instead of saving a hash of the fingerprint, they are saving the actual fingerprints of people who can be copied for malicious purposes," the researchers said in a statement.

The investigators tried in multiple occasions to contact “Suprema” without any response, even before delivering the statement to “The Guardian”, currently the vulnerability is closed, but they did not receive news from the security company.

Vulnerabilities in the supply chain, where a company uses another third-party company for a service that does not have adequate security, is common, but often some of the vulnerabilities discovered have been in companies listed in Fortune 500.

"Mistakes happen at any time and the real test is how you handle them," Rotem said, "Some people take it as an opportunity to fix it and others get offended for some reason."

It is clear that we are not always protected even if we hire high-end companies to put our personal data security in their hands, but we can help ourselves to avoid these gaps with simple steps, "we recommend you read our article" Basic Tips for computer security inside your company ”