fingerprint entrance technology

Security Company Exposes Fingerprint, Facial Recognition Data of Over 1 Million Users

Suprema, which operates the Biostar 2 biometric smart lock system, leaked over 27.8 million records in a publicly accessible database discovered by security researchers.

A publicly accessible database holding the biometric and personal information of over 1 million people ⁠— including fingerprints, facial recognition data and unencrypted usernames and passwords ⁠— was discovered online in what security researchers are calling a “huge data breach” in a new report released Wednesday.

Two researchers and a team at vpnMentor were able to access over 27.8 million records maintained by Suprema, a security company that operates the web-based Biostar 2 biometric smart lock system responsible for access control to warehouses, office buildings and more. The company recently integrated the Biostar 2 platform into the AEOS access control system, which is used by 5,700 organizations across the world, including banks, police forces and governments, The Guardian reported.

Researchers Noam Rotem and Ran Locar found that since the database included encrypted username and password information, they were able to easily create and modify user credentials. In turn, hackers would be able to gain access to any building using the platform by either editing an existing user’s account or adding themselves as users with photographs and fingerprints.

“Putting all the data found in the leak together, criminals of all kinds could use this information for varied illegal and dangerous activities,” the researchers wrote, noting that fingerprint and facial recognition information cannot be retrieved once stolen, potentially affecting people for the rest of their lives.

Since Rotem and Locar alerted Suprema to the issue, the vulnerability was closed, but the pair had not heard directly from the company. In a statement to The Guardian, the company’s head of marketing, Andy Ahn, said Suprema had taken an “in-depth” evaluation of the research’s findings and would inform customers if there was a threat.

It was not immediately clear if the database had been accessed by unauthorized users before Suprema took action. But the team at vpnMentor remained troubled by the methods Suprema used to secure the data, which left it vulnerable to malicious actors.

“The unsecured manner in which BioStar 2 stores this information is worrying, considering its importance, and the fact that BioStar 2 is built by a security company,” the researchers wrote. “Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes."

Security experts noted that multi-factor authentication could help mitigate similar breaches by preventing hackers from entering a building with only one means of identification. But this only works if organizations maintaining identification data do not keep it all within the same system, as Suprema appeared to in this case.

“As long as I can’t get access to a system or building with only one factor, then the compromise of my password, key card or fingerprint doesn’t result in compromise of the whole system,” said Tim Erlin, vice president of product management and strategy at Tripwire. “Of course, if these factors are stored or alterable from a single system, then there remains a single point of failure.”

Robert Capps, a vice president and authentication strategist at NuData Security, said that it’s unclear if the fingerprint data is full resolution or templatized, which would make it difficult for hackers to use the files. However, he said, the other information included in the leak could be used to access financial services accounts.

“It is advisable, therefore, that any company using Biostar 2 for physical access should make plans to ensure their facilities remain secure until the full scope of the vulnerability is known, and consumers whose information was contained in the breach, take precautions to protect any accounts related to the information disclosed in the breach,” Capps said.

About the Author

Haley Samsel is an Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.