Israeli security researchers discovered that a company used by the UK Metropolitan police, defense contractors and banks left millions of records unprotected. Data included biometric information. Noam Rotem and Ran Locar handed their research to the Guardian. The loophole had reportedly been closed by the time of this writing.
In a search last week, the researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data. The researchers had access to over 27.8m records, and 23 gigabytes-worth of data including admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff. Much of the usernames and passwords were not encrypted, Rotem told the Guardian. “We were able to find plain-text passwords of administrator accounts,” he said.