The exposed database contained the fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees. The web-based Biostar 2 biometrics lock system allows centralised control for access to secure facilities like warehouses or office buildings. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.

In July 2019, Suprema, the company responsible for Biostar 2, announced its platform was integrated into another access control system – AEOS. AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan Police.

While conducting some projects on private network services, two Israeli security researchers from vpnmentor found Biostar 2’s database was unprotected and mostly unencrypted.

The researchers had access to over 27.8 million records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff, according to The Guardian.

The researchers made multiple attempts to contact Suprema before taking the paper to the Guardian. Suprema’s head of marketing told the Guardian the company had taken an ‘in-depth evaluation’ of the information provided by vpnmentor and would inform customers if there was a threat.