A smart lock system that allows users to gain access to secure facilities such as warehouses or office buildings using their fingerprints and facial recognition has suffered a major security breach.
A publicly accessible database belonging to Suprema, the company responsible for the Biostar 2 lock system, has been discovered online, with most of the contents left unprotected and unencrypted.
Security researchers from cyber security firm vpnMentor, who discovered the database, said they were able to easily gain access to the contents of the database by manipulating the URL search criteria.
The database contained over 27.8 million records and 23 gigabytes-worth of data - including fingerprints, facial recognition data, face photos of users, unencrypted usernames and passwords, and personal details of staff.
As well as being able to see this data, they were able to edit it and add new users, according to the researchers, potentially allowing hackers to gain unauthorised access to secure facilities and manipulate their security protocols for criminal activities.
"This is a huge leak that endangers both the businesses and organisations involved, as well as their employees," the researchers wrote in a blog post .
"Once stolen, fingerprint and facial recognition information cannot be retrieved. An individual will potentially be affected for the rest of their lives."
The researchers said the sheer scale of the breach was alarming because the smart lock system is in 1.5 million locations across the world.
Suprema also recently announced its Biostar 2 platform was integrated into another access control system – AEOS - which is used by some of the biggest multinational businesses, governments, banks, and even the UK Metropolitan Police.
The vpnMentor researchers said they made numerous attempts to contact Suprema to alert the company to their findings, but it was "generally very uncooperative".
Steps have now been taken by the company to close the breach.
Suprema told the Guardian in a statement that the company had taken an "in-depth evaluation" of the information provided by vpnmentor and would inform customers if there was a threat.
"If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers' valuable businesses and assets," a spokeswoman for the company said.
