Biometric Database Breach: Expert Commentary

Suprema has reportedly suffered a biometric database breach including facial recognition records, fingerprints, log data and personal information being found on “a publicly accessible database.” The damage is not yet clear, but the report claims that actual fingerprints and facial recognition records for millions of people have been exposed.

Notify of

7 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Chris DeRamus
Chris DeRamus , CTO and co-founder
InfoSec Expert
August 21, 2019 9:57 pm

Leaving servers unprotected seems like such a simple mistake to avoid, but more and more companies suffer data breaches as the result of misconfigurations, and we read about them in the news almost every day. Suprema joins Aavgo, University of Chicago Medicine, Rubrik, Gearbest, Ascension and countless other organizations this year as victims of data leaks due to misconfigurations. The truth is, organizations are lacking the proper tools to identify and remediate insecure software configurations and deployments on a continuous basis. Automated cloud security solutions give companies the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, and they can even trigger automated remediation in real time.

Last edited 3 years ago by Chris DeRamus
Jonathan Bensen
InfoSec Expert
August 20, 2019 5:43 pm

Suprema has potentially compromised more than 27.8 million records of admin panels and dashboards, as well as individuals’ sensitive biometric data and other PII, which can be devastating for those affected. The information exposed could allow a malicious group to conduct a sophisticated social engineering attack with real-world implications, including allowing unauthorized users to access high-security areas that require biometric signatures for access.

Seeing as UK citizens’ data was exposed, it will not be surprising if the South Korean-based biometrics, security and identity solutions provider faces fines under GDPR. Suprema can even face litigations from citizens in other countries, including the U.S. In fact, China-based Huazshu Group was sued last October by a Huazshu shareholder in the Central District of California after the company’s breach of 123 million records of registration data.

Organizations needs to continuously monitor all IT assets across hundreds of potential attack vectors to detect vulnerabilities. This involves analyzing tens of billions of time-varying data signals, a task that is not a human-scale problem anymore. They key to thwarting future attacks is to leverage security tools that employ right AI and ML techniques to observe and analyze these data points in real time and derive insights in order to prioritize the vulnerabilities that need to get fixed first. Proactively managing risk must become the new norm and is a requirement for successful cybersecurity practice.

Last edited 3 years ago by Jonathan Bensen
David Emm
David Emm , Principal Security Researcher
InfoSec Expert
August 15, 2019 10:34 am

“This incident underlines the risks associated with using biometric identifiers. Biometric data is just as valuable a target for cybercriminals as usernames and passwords. The theft of biometric data, and the fact that this could be used to spoof people’s identity, highlights how important it is for companies to secure customer data. This is especially important in the case of biometric data. In the event of a data breach, compromised password can be changed, but this is not true for a fingerprint or other biometric data. This raises the question of whether biometrics are a safe alternative to passwords? It’s my view that biometrics should be used as an alternative to usernames, not passwords. Whether it’s passwords or biometrics, providers should take steps to secure authentication data and other personal information. If data is stored in the clear, it provides a treasure trove for cybercriminals

Last edited 3 years ago by David Emm
Willy Leichter
InfoSec Expert
August 15, 2019 10:29 am

Unfortunately, leaking of biometric source information is the inevitable next step in a long line of security blunders. With any authentication method, from passwords to advanced biometrics, security is only as strong as its weakest link. With all the hype around biometrics and AI, we tend to overlook the basics – we’re entrusting increasingly unchangeable personal data to a network of third parties with little oversight, and few enforceable standards over how priceless personal data is handled. While GDPR lays out principles for data protection, these need to be swiftly and severely enforced for organizations that are clearly reckless.

Last edited 3 years ago by Willy Leichter
Kevin Gosschalk
Kevin Gosschalk , CEO
InfoSec Expert
August 15, 2019 10:22 am

Suprema’s breach exposing biometric records for more than 28 million people — including fingerprint data, facial recognition data, and face photos of users — disrupts the long held belief that biometrics are the most effective authentication solution. This breach not only exposes individuals to fraud but also makes them indefinitely vulnerable to future attacks, as biometrics, unlike passwords or credit card numbers, cannot be changed.

Today’s cybersecurity ecosystem has commoditized the sale of consumer records and credentials on the dark web, making passwords and other traditional authentication methods easily susceptible to account takeover attacks. Biometric authentication technology emerged as the go-to solution in a post-password world, but comprising the biometrics of millions of users could have long-term impact on its viability and security. We are in uncharted territory because this is the first major biometric breach to-date, and it’s unclear how immediately cybercriminals will be able to weaponize this information to the detriment of 28 million victims impacted and 5,700 organizations currently using Suprema’s biometric identity technology. What is clear, however, is that this highly-sensitive information should have never been left on an unprotected database. Data powers today’s global economy, and businesses must understand their threat landscape and implement a proactive approach to fraud prevention.

Last edited 3 years ago by Kevin Gosschalk
Information Security Buzz
Would love your thoughts, please comment.x