[BreachExchange] Employee ID company leaves 76, 000 fingerprints exposed to hackers online along with email addresses and phone numbers

Destry Winant destry at riskbasedsecurity.com
Fri Mar 13 10:21:42 EDT 2020


https://www.dailymail.co.uk/sciencetech/article-8100805/Employee-ID-firm-leaves-76-000-fingerprints-exposed-online-email-addresses-phone-numbers.html

Nearly 76,000 unique fingerprints were exposed online in an
unprotected database bellowing to a Brazilian firm that develops
fingerprint identification systems for corporations.

Also in the bucket were email addresses and telephone numbers of the
employees whose prints were being stored by the company Anteus
Tecnolgia.

The fingerprint data included ridge bifurcation and ridge ending data,
both of which describe characteristics used to tell fingerprints
apart.

Although the information was stored as a binary data system, a string
of zeros and ones, researchers who uncovered the database said
cybercriminals could create a biometric image of the person’s
fingerprint with the data.


Nearly 76,000 unique fingerprints were exposed online in an
unprotected database bellowing to a Brazilian firm that develops
fingerprint identification systems for corporations

The discovery was made by security researchers at Safety Detectives
who access the database containing 16 gigabytes of information that
included highly sensitive information related to identification and
biometric details- but has since been secured, as first reported on by
CNET.

The bucket belongs to Antheus Tecnologia, which develops and
distributes Automated Fingerprint Identification Systems (AFIS),
automated fingerprinting and other systems such as iris recognition
devices.


World's biggest gaming conference E3 is cancelled three...New EU rules
that could mark the end of 'throwaway culture'...


And the firm claims to be the first Brazilian company to be certified
by the US Federal Bureau of Investigation (FBI) and develops biometric
solutions for domestic and overseas clients.

Security Detectives found more than 81.5 million records that
contained employee emails and telephone numbers, along with the 76,000
fingerprints.

Although the information was stored as a binary data system, a string
of zeros and ones, researchers who uncovered the database said
cybercriminals could create a biometric image of the person’s
fingerprint with the data

‘The unsecured method in which Antheus Tecnologia stores information
is rather alarming considering its importance. It’s even more alarming
that Antheus Tecnologia was built and deployed by a security company,’
Security Detectives.

‘Instead of saving a hash of the fingerprint (that cannot be
reverse-engineered), Antheus is saving people’s actual fingerprints
through rudimentary encoding which can then be replicated for
malicious purposes.’

The team explained that bad actors could use the information left
unprotected to commit illegal and dangerous activities such as gaining
access to restricted or classified information, extortion, phishing
attacks and more.

The discovery was made by security researchers at Safety Detectives
who access the database containing 16 gigabytes of information that
included highly sensitive information related to identification and
biometric details- but has since been secured

‘Data breaches relating to fingerprint data is particularly concerning
because of the inherent inability for users to refresh their security
information,’ researchers share.

‘Given current consumer and professional trends, fingerprints are
replacing typed passwords in many consumer goods such as phones and
laptops.’

‘Most fingerprint scanners on consumer goods are encrypted, so when a
hacker develops technology to replicate your fingerprint, they could
gain access to all the private information such as messages, photos
and payment methods stored on your device.’


More information about the BreachExchange mailing list