Credit: PXhere

An IT security platform used by a wide range of public sector customers across Europe has suffered a “huge data breach” affecting tens of millions of sensitive data records, researchers have found.

The Biostar 2 app from Suprema offers visitor control functions – including the use of facial recognition and fingerprinting. The technology is integrated into the AEOS access-control platform from Nedap – which is used by a range of big businesses and public sector institutions across Europe. High-profile UK customers include the Metropolitan Police Service.

An investigation by a team of experts from IT security review site vpnMentor – led by independent internet privacy researchers Noam Rotem and Ran Locar – found that Biostar 2 has suffered a data breach that could affect “millions of users”.

Earlier this month, the research team that discovered the breach found that they were able to access 27.8 million records via a publicly available database. This information included more than one million fingerprint records, as well as facial recognition data.

“Once stolen, fingerprint and facial recognition information cannot be retrieved,” said the vpnMentor report. “An individual will potentially be affected for the rest of their lives.”

A wide range of other sensitive data was also affected by the breach, the report found, including passwords, user names, and location entry and exit data. Employee information – including home and email addresses – were also leaked.

Moreover, the research team found that, upon being informed of the security alert, Biostar 2 were “generally very uncooperative throughout this process”. 

The issues were first discovered on 5 August and then reported to the vendor on 7 August, vpnMentor said. But action was not taken to close the breach until 13 August, the site claimed.

This reportedly only took place after numerous unanswered emails and a phone call in which a German employee told the investigation team that “we don’t speak to vpnMentor”.

Andy Ahn, head of marketing at Biostar 2’s publisher Suprema, told the Guardian that “in-depth evaluation” of the findings of the report is now taking place.

“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” he said.

UK customers
Several UK businesses were named among the organisations around the world whose information was compromised as part of the breach. But the scale of the impact is not yet known.

“Maybe the biggest concern in this leak is its size,” vpnMentor said. “BioStar 2’s users are spread around the world, with potential future users including governments, banks, universities, defence contractors, police, and multinational businesses. The platform has over 1.5 million worldwide installations, and all of these could be vulnerable to this leak. The total number of people affected could be in the tens of millions.”

The Metropolitan Police Service is yet to determine whether it was impacted.

A spokesperson said: “We are working to establish whether any MPS systems are affected by this incident.”

Another UK public sector user of the AEOS system is the University of Nottingham. The institution indicated to PublicTechnology that it does not use a biometric system and has in no way been affected by the breach.

“There are no reported issues,” a spokesperson said. “While we use AEOS technology for card access, we do not use biometric applications.”

Click here to read the full vpnMentor report