(Bloomberg) -- Millions of pieces of personal data, including fingerprints, may have been leaked from a cloud-based service that stores biometric data for companies and organizations worldwide, security researchers said.
Computer scientists working with software firm VpnMentor said they discovered a vulnerability in South Korean Suprema Inc.’s Biostar 2 program, which left unencrypted usernames and passwords accessible to outsiders.
However, implicated companies have expressed confusion and frustration at either being mistaken for different businesses with the same name, or simply not being told soon enough to help them avoid potential data-protection fines.
Tile Mountain, a Stoke-on-Trent-based company that was listed in the report, told Bloomberg it hadn’t been made aware of the leak until Wednesday when journalists began getting in touch.
“It is concerning that no contact was made to inform us that data may have been compromised," Tile Mountain Information Technology Direct Colin Hampson said in a statement.
"This could potentially have prevented Tile Mountain from carrying out its obligations under GDPR," he said, adding that the company is satisfied that its employee and customer data was secure.
GDPR, Europe’s strict General Data Protection Regulation, allows companies that fail to adequately protect personal information or alert authorities to breaches, to be handed fines of as much as 4% of their global annual revenue. Marriott International Inc. and British Airways are among those to have fallen on the wrong side of this law.
The report also named Phoenix Medical as a U.K.-based firm that had been compromised. But a spokeswoman for the company linked to by VpnMentor said it doesn’t use Biostar 2 and the wrong Phoenix Medical -- of which there are multiple registered on British business registry Companies House -- had been named. VpnMentor later updated its report to identify the correct Phoenix Medical, which is based in Tennessee. A spokesman for the U.S. health-care product manufacturer told Bloomberg it had used Biostar 2, but had not been made aware of a potential breach.
London’s Metropolitan Police force was referred to as a Suprema software user but not explicitly cited as having had its data leaked. Representatives for the Met didn’t immediately respond to a request for comment.
The South Korean company’s head of marketing, Andy Ahn, told the Guardian, which first reported the breach, it had reviewed information from VpnMentor and would contact any customers if they were discovered to be affected.
Noam Rotem and Ran Locar, the internet privacy researchers who discovered the leak, said tens of millions of people could be affected, although there’s no evidence yet that anybody has been. Representatives at Suprema, which is valued at nearly $60 billion, did not respond to requests for comment for this story.
"With this leak, criminal hackers have complete access to admin accounts on Biostar 2," the researchers wrote in a published Wednesday. "They can use this to take over a high-level account with complete user permissions and security clearances, and make changes to the security settings in an entire network."
The researchers said they discovered the vulnerability on Aug. 5 and informed fingerprint identification device maker Suprema, which has since fixed the vulnerability. It’s not clear how long the loophole may have existed.