A trove of fingerprints, passwords and facial recognition data, supposedly protected, were found exposed and accessible online because the database of a company that provides secure access to warehouses and offices was flawed.

The exposed data included fingerprints belonging to over a million people, as well as unencrypted passwords, The Guardian reported. The security company, Suprema, is responsible for the Biostar 2 biometric lock system used by the U.K. Metropolitan police, defense contractors and banks, the paper said.

The breach was discovered by Israeli researchers Noam Rotem and Ran Locar, who were working for security firm VPNMentor. While the hole has been fixed, how long the data was  accessible is not clear.

Biostar 2 calls itself an “open and integrated security platform,” that enables companies to control who is allowed to use doors and elevators by using biometric data. It integrates with a number of other access control systems including AEOS, which counts London’s Metropolitan Police Service among its customers.

  • In total the breach contained 27.8 million records, including 23 gigabytes of data that covered fingerprints, facial recognition data, photos, personal details and access logs from facilities the system is plugged into, the Guardian said.
  • The potential for what criminals could do with the data is almost limitless, from robbery – using the system to literally let them walk through the front door – to identity theft, fraud and blackmail.
  • Researchers were also able to access administrator accounts, and add or edit users – potentially adding their own fingerprints to a system, the paper said. And they were able to search through the system for data by manipulating the exposed URL.
  • Suprema didn’t appear particularly receptive when they were approached with information about the breach before publication of VPNMentor’s paper — though the breach was quietly patched within days, researchers say.
  • Karma Takeaway: This is a horrifying breach because of the biometric data being exposed. You might be able to change your password, but you cannot change your fingerprints. Suprema is going to have to work hard to regain the trust of its customers.