On August 5, 2019, cyber security researchers reportedly discovered a data breach in Biostar 2, a security platform that uses biometric data. The researchers said that millions of Biostar 2 users are affected, and the data includes fingerprints, facial recognition, unencrypted usernames and passwords, and other personal information that may include activity logs.
Many companies use Biostar 2 for building access, or privileged access to business applications, according to the cyber security researchers.
Data Breach: 27.8 Millions Biostar Records, including Biometrics
The cyber security researchers who discovered the data breach say that they were able to access over a million fingerprint records, as well as facial recognition records. In total, the researchers say they were able to access 27.8 million records, which included information on when employees entered and left work, as well as personal information such as their address and phone number.
They say they disclosed the breach to Suprema, the maker of Biostar 2, but the company initially ignored them. The researchers tried to reach company officials and even reported the breach to the GDPR compliance office for Biostar 2. The researchers were eventually able to reach someone in Biostar’s French offices, and the company was then able to secure the compromised data, according to vpnMentor.
The biometric data was publicly exposed for at least a week after the cyber security researchers discovered it, but was likely available for much longer, according to vpnMentor.
Biostar 2 Data Breach Victims May Be At Great Risk
The cyber security researchers point out that biometric data is forever. Your fingerprints and face follow you around for life.
The cyber security researchers who discovered the breach said:
Facial recognition and fingerprint information cannot be changed. Once they are stolen, it can’t be undone. The unsecured manner in which BioStar 2 stores this information is worrying, considering its importance, and the fact that BioStar 2 is built by a security company.
Instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes.
Putting all the data found in the leak together, criminals of all kinds could use this information for varied illegal and dangerous activities.
Because biometric data usually does not change, individuals who have biometric data compromised may face a lifetime of risk of their biometrics being used for criminal activity.
According to the cyber security researchers, employees with the following companies had records exposed:
- Union Member House
- Lits Link
- Phoenix Medical
Our Data Breach Lawsuit Attorneys
Our Data Breach Lawsuit Experience
Our firm has represented plaintiffs in complex lawsuits involving some of the nation’s largest data breaches, including litigation against Anthem, Adobe, Home Depot, Excellus Blue Cross and Blue Shield, and Banner Health, among others. In the past, we have successfully represented consumers with data breach and privacy claims involving HealthNet and Certegy Check Services.
Eric Gibbs has established himself as a leader in emerging litigation involving data breach and privacy. He was court-appointed to the four-member leadership team in the Anthem Data Breach Litigation, which recently settled for $115 million, the largest data breach settlement in history (settlement pending final Court approval). Eric secured a landmark ruling in the Adobe Systems, Inc. Privacy Litigation, which makes it easier for plaintiffs to seek relief following a breach. He was recently selected from among a pool of attorneys from across the country to serve as co-lead counsel in the Vizio, Inc., Consumer Privacy Litigation.
Eric co-founded the American Association for Justice’s Data Breach and Privacy Litigation Group, and has served as chair and organizer of several consumer privacy conferences on best practices and developments in consumer privacy litigation.
Share this on: