Two Key Lessons from the Suprema Biometric Data Breach

The storage of personal identity data is the most crucial, and yet most commonly overlooked step in a biometric system. After an identity is proofed, what happens to the data collected? It’s arguably the step that requires the most security considerations; storing up to millions of data records together. The consequences of this lax attention emerged in the news yesterday as biometric and security provider Suprema was at the center of a major biometric breach.

On August 5th, vpnMentor's team led by internet privacy researchers Noam Rotem and Ran Locar, discovered a massive breach involving one of Suprema's products, Bio Star 2. The product is used to grant access control to secured areas and related activities. The magnitude of the breach is staggering: at least 27.8 million records composing 23 gigabytes of data, including 1 million fingerprints and facial recognition information, have been compromised.

If the sheer number of records doesn't shock you, the quality of the data exposed will. The compromised data includes fingerprints, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff. The team discovered that a large part of BioStar 2's database was unprotected and mostly unencrypted.

"We were easily able to view passwords across the BioStar 2 database, as they were stored as plain text files, instead of being securely hashed", the discovery team stated. In light of this massive biometrics data breach, let's reflect on what can be done differently to avoid similar disasters in the future.

Lesson #1: Encrypt Everything

Having passwords, biometric images, or any information stored as plain text is absurd. Data must be encrypted through multiple methods before being stored. At ImageWare we don't store biometric images; we store encrypted biometric templates, which are a numeric representation of a biometric sample. In the remote case hackers were to get through ImageWare's multiple state-of-the-art defenses and gain access to the data system storing the information, that person would have to reverse-engineer the biometric templates - an extremely long and arduous process. ImageWare's strong encryption and proprietary template formation process makes its encryption extraordinarily secure and virtually impossible to breach.

Lesson #2: Store Biometrics and Personal Identity Data Separately

Storing biographic and biometric information separately is vital to mitigate a breach. The reason is that one piece of information without the other is unusable. It would be like having a password without a username! ImageWare has multiple patents in anonymous storage and transit of biometric data. If a hacker managed to breach ImageWare's data system, decrypt the information, and reverse engineer the biometric templates, the result would be biometrics templates without any link to any other data whatsoever, thus rendering those useless.

When searching for a biometric security provider, it is easy to focus on more exciting steps of the process, such as the user experience and processing speeds. However, a system is only as secure as its weakest point. On-boarding a company that implements multiple security levels at every step, including proprietary algorithms for anonymous storage and transit technology, is mandatory. Biometric companies must be aware that they are not only dealing with data; they are handling unique personal information from millions of users that trust their business.