Biometrics platform used by UK police stored millions of unhashed fingerprints on unsecured database

...

Researchers have discovered a 23GB database containing “almost every kind of sensitive data available”

An unencrypted Elasticsearch database containing millions of fingerprints, facial recognition information, unencrypted usernames and passwords, and personal information on employees has been discovered by researchers.

The database belongs to Biostar 2, a biometric security platform recently integrated into AEOS, an access control system used by the UK Metropolitan Police. In total AEOS is used by over 5,700 organisations across 83 countries, including large multinational corporations, small businesses, governments, banks and defence firms.

Suprema, the company who built Biostar 2, is considered one of the world’s leading security manufacturers and is the leading biometric access control provider in EMEA. Biostar 2 enables admins to control both physical security and application security from a single pane of glass.

The researchers expressed frustration over the time it took for Biostar 2 to close the breach once they alerted the company to their findings on 5th August. After failing to contact Biostar 2 via email, two days later they called the German branch who said they “didn’t speak to vpnMentor” before hanging up.

The researchers then spoke to a “more cooperative” French branch who took measures to close the breach. The breach was closed on 13 August, over a week after Biostar 2 was first alerted to it.