Biometrics is used to control and access employees in a company, but leaking this data can lead to fines and extortion.
Security breach in the company led to the leak of one million fingerprints;
A breach can lead criminals to copy biometrics to impersonate victims;
Understand how such a leak can impact businesses, customers, and employees.
Biometrics solutions are used to maintain control and access to buildings and systems in organizations: public agencies, banks, retail companies, among others.
Recently, a security flaw in the South Korean company Suprema's BioStar 2 software resulted in the leak of one million fingerprints from its database.
The exposed data was discovered in early August. According to Israeli researchers, who notified the Suprema after the incident, the software was unprotected and unencrypted.
The researchers also had access to nearly 30 million company records using BioStar 2 (a total of 23GB of data), including:
Customer admin panel, dashboards, back-end control panel, and permissions;
Users' image and facial recognition information;
Usernames, passwords, and other user IDs (such as email) without encryption;
Entry and exit records from security areas;
Employee records, including employment start date;
Security levels and employee time off;
Personal information such as the employee's home address and emails;
Hierarchies of company employees;
Mobile device and operating system information used by employees.
The list above shows how a biometric leak can impact companies using such a solution.
“Biometric data refer to an individual. Biometrics is used to vote or make a withdrawal at the bank, for example. But you can't change your fingerprint like you change an email password when there's an episode like that,” explains Henrique Poyatos, professor of Technology at FIAP.
A leak of sensitive data (such as the fingerprint is considered by the General Data Protection Law – LGPD ) brings everyone involved. Both for the owners and the custodians of this data.
For companies, one of the consequences is the payment of fines due to the leak. As for employees and customers, the headache can be greater. The hackers can spoof the biometrics and pass by the victim, carrying out extortion, threats, and other crimes.
The impacts of a vulnerable biometrics solution
Fingerprint and facial recognition information cannot be altered, so the company must invest in multiple layers of security to prevent leaks. “She can use biometrics together with other solutions that make it difficult to identify the person,” comments Poyatos.
In the case of BioStar 2, Suprema did not create a fingerprint hash (which there is no way to revert to the original data, as we have already shown in Mundo + Tech ). But yes, it saved it “raw,” which could be copied for malicious purposes.
With biometrics and other data available in the leak, criminals could use the information for various illegal and varied activities. VpnMentor's report pointed out how some security incidents could negatively impact companies:
1. Account takeovers and security breaches
As with BioStar 2, a security hole can give full access to administrator accounts in the biometrics solution. This would allow you to make security changes to your company's network or create new accounts to gain access to secure areas of a building or facility.
2. Theft (physical) and fraud in the company
Biometrics theft can give complete access to an organization's building, whether it's a small business or a government office. The hacker can use this database to enter a room and grab any item of value.
The leak also gives hackers the ability to break into corporate networks, which may not be available outside the building. As a result, they can steal valuable information, plant viruses, monitor and exploit systems.
3. Identity theft and threat to users
The BioStar 2 leak contained many personal details of employees. This can make employees and customers of affected companies the targets of fraud and other crimes.
The amount of information can be used to create effective phishing campaigns and provide a solid foundation for threatening users for illegal financial gain.
Hackers can also sell information (even fingerprints) on the dark web. This would lead to numerous criminal and untraceable activities, compromising the data of employees and customers of affected companies.
“No one can change the fingerprint, but customers and users can change some info such as passwords for e-mails, cell phones, or other services to make it difficult to identify them,” advises Poyatos.
4. Blackmail and extortion
Criminals can blackmail or extort company executives, who will have greater access and permissions to internal environments and processes. With personal information available, hackers will exploit these professionals with vulnerabilities such as family and relationships.
The security of biometrics data
Cloud would be the least favorable option for leaks, says Poyatos. For the professor, “depending on the volume of data, it is unfeasible to keep it inside the company, as in a data center, since it is a solution that can bring other security breaches,” he says.
It also suggests other layers of security that will make it difficult for users to identify. “Companies can use biometrics and another token on the employee's smartphone. But they must encrypt and store this data on separate servers.”
Poyatos says that all companies should be concerned about data security. “We know that the bank is careful with biometrics, but what about a gym? She uses this recognition to check-in students, but it's not her core business. Maybe after the LGPD comes into effect.”