author photo
By Clare O’Gara
Thu | Aug 15, 2019 | 7:17 AM PDT

Over the years, security has turned increasingly to biometric data for authentication.

And the reason seems to make sense. After all, what's more secure than your own body and its unique attributes?

Unfortunately, BioStar 2's recent data breach shows us the risks and potential damage that can come from having a biometric database compromised.

What was leaked from biometric database?

When privacy and security researchers discovered they could access the biometric security database, they took the opportunity to examine what was available. 

They released a video on the breach below:

According to researchers at vpnMentor, the database contained "almost every kind of sensitive data available."

They included a list of everything they found:

  • Access to client admin panels, dashboards, back end controls, and permissions 
  • Fingerprint data 
  • Facial recognition information and images of users
  • Unencrypted usernames, passwords, and user IDs
  • Records of entry and exit to secure areas
  • Employee records including start dates
  • Employee security levels and clearances
  • Personal details, including employee home address and emails
  • Businesses’ employee structures and hierarchies
  • Mobile device and OS information

They also reported downloading more than one million actual fingerprints from BioStar 2.

And the information they found on account passwords was also shocking. It reveals there is more work to do around security awareness:

One of the more surprising aspects of this leak was how unsecured the account passwords we accessed were. Plenty of accounts had ridiculously simple passwords, like "Password" and "abcd1234".

It’s difficult to imagine that people still don’t realize how easy this makes it for a hacker to access their account. 

With BioStar 2's entire database breached and available, any of these individual accounts could have been easily exploited by hackers.

What are the risks of biometric data leaks?

And that's the real concern. It is about what hackers and cybercriminals can do with with stolen or leaked biometric data.

The researchers went into greater detail about these risks in their report:

Facial recognition and fingerprint information cannot be changed. Once they are stolen, it can't be undone. The unsecured manner in which BioStar 2 stores this information is worrying, considering its importance, and the fact that BioStar 2 is built by a security company. 

Instead of saving a hash of the fingerprint (that can't be reverse-engineered) they are saving people's actual fingerprints that can be copied for malicious purposes.

Putting all the data found in the leak together, criminals of all kinds could use this information for varied illegal and dangerous activities.

And the impact could travel further than the data of your biometrics:

This could be used in a wide range of criminal activities that would be disastrous for both the businesses and organizations affected, as well as their employees or clients.

It's a tough reminder: protecting your body comes first, even in the digital world.

Check here for the complete report from vpnMentor.