Researchers have stumbled upon a publicly accessible biometric database that exposed more than a million people’s fingerprints, along with a wealth of other personal data.

Cybersecurity experts Noam Rotem and Ran Locar of vpnMentor revealed their alarming discovery in a blog post today. The database in question belongs to Suprema ID Inc., a South Korean maker of access management technology for buildings. The company used the system to store data from installations of its Biostar 2 biometric lock product. 

Rotem and Locar discovered some 27.8 million unguarded and mostly unencrypted records on the database. The trove included fingerprint scans, face photos collected for facial recognition purposes, usernames, passwords and logs detailing the comings and goings of personnel at facilities that use Biostar 2. Some of the database entries also contained other personal information such as employment records.

The researchers didn’t have to so much as input a password to access the information. “The company [Suprema ID] uses an Elasticsearch database, which is ordinarily not designed for URL use,” Rotem and Locar wrote. “However, we were able to access it via browser and manipulate the URL search criteria into exposing huge amounts of data.”

It’s not the first time researchers have discovered sensitive records lying around in a database exposed to the open web. In July, a cybersecurity expert came across an unprotected Elasticsearch deployment belonging to Honda Motor Co. that contained 134 million internal records. Accenture Plc., Capital One Financial Corp., FedEx Inc. and many other major enterprises have been involved in similar data protection mishaps over the years.

What makes the Suprema incident different is that the researchers also managed to access the database’s administrative console. According to Rotem and Lucar, hackers potentially could have abused the system to give themselves unauthorized access to buildings worldwide.

Suprema claims that there are more than 1.5 million installations of Biostar globally. In some of the facilities, the system is deployed together with AEOS, another access control platform that is used by  governments, banks and the U.K. Metropolitan police.

The Guardian reported that Suprema had closed the security hole as of early today. Andy Ahn, the company’s head of marketing, said in a statement issued to the paper that “if there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets.”

Image: Pixabay