Breach exposes data of millions using Suprema’s Biostar 2 lock system

Victor Barreiro Jr.

This is AI generated summarization, which may have errors. For context, always refer to the full article.

Breach exposes data of millions using Suprema’s Biostar 2 lock system
Administrative access for the Biostar 2 biometric lock system is stored in plain text, allowing one to change data or add users. The issue has since been closed.

MANILA, Philippines – The facial recognition data, fingerprints, unencrypted usernames and passwords, and personal employee information of over one million people were found in a “publicly accessible database” for company Suprema, The Guardian reported on Wednesday, August 14.

The data breach affects Suprema’s Biostar 2 biometric lock system.

Biostar 2 uses fingerprints and facial recognition to help identify people who are attempting to enter buildings.

The system was also recently integrated into the AEOS access system of another company, NEDAP. AEOS is used by 5,700 organizations in 83 countries, which include banks, governments, and the UK Metropolitan Police.

Israeli security researchers Noam Rotem and Ran Locar, while working with virtual private network review service vpnmentor, found Biostar 2’s database was unprotected and mostly unencrypted.

In the researchers’ report on the breach, they said it was discovered on August 5, and closed on August 13, 6 days after they had contacted Suprema about it. Suprema, however, did not actually appear to get back to Rotem and Locar about the issue.

Rotem said administrator account passwords were stored in plain text. Administrative access allowed one to see “millions of users…using this system to access different locations and see in real time which user enters which facility or which room in each facility.”

He added that the access allowed them “to change data and add new users.”

Speaking with The Guardian, Suprema marketing head Andy Ahn said the company made an “in-depth evaluation” of the information in the vpnmentor report. They would then inform customers if there are any threats.

Said Ahn, “If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets.” – Rappler.com

Add a comment

Sort by

There are no comments yet. Add your comment to start the conversation.

Summarize this article with AI

How does this make you feel?

Loading
Download the Rappler App!
Person, Human, Sleeve

author

Victor Barreiro Jr.

Victor Barreiro Jr is part of Rappler's Central Desk. An avid patron of role-playing games and science fiction and fantasy shows, he also yearns to do good in the world, and hopes his work with Rappler helps to increase the good that's out there.