Biostar 2: Suprema plays down fingerprint leak reports

A biometric-security company has played down reports its software exposed "a million" fingerprints, making them vulnerable to hackers on the web.

Suprema's Biostar 2 program was accessed online by cyber-security researchers earlier this month.

The researchers say they found data from companies that use the system.

Suprema said the access point had now been closed and an investigation had found the scope of the leak to be "significantly less" than reported.

The cyber-security researchers involved, however, are standing by their research.

One of them, Noam Rotem, told BBC News the evidence he had obtained did in fact indicate large amounts of biometric data had been made available online.

He and his colleague Ran Locar had worked with cyber-security company VPNMentor to disclose the breach.

South Korea-headquartered Suprema makes a range of products, including fingerprint readers that allow companies to control access to specific areas of sites or buildings.

"Last week, we were made aware that some BioStar 2 customer user data was accessed by third-party security researchers without authorisation for a limited period of time," the company said in a statement.

"There are no indications that the data was downloaded during the incident based on the investigation to date.

"We have also engaged a leading global forensics firm to conduct an in-depth investigation into the incident.

"Based on their investigation to date, they have confirmed that no further access has occurred and that the scope of potentially affected users is significantly less than recent public speculation."

Suprema added it was in the process of identifying affected parties and engaging with relevant regulators and authorities.

There had been concerns that one of the affected clients was the Metropolitan Police, which was reported to have used Suprema technology.

However, a spokeswoman told BBC News: "No Met biometrics systems have been exposed as part of this breach based on our assessment."

The dispute over how big the leak was can be explained by the fact the researchers say they did not, for ethical reasons, attempt to download all the fingerprint files.

Rather, they had taken "hundreds" of samples of data, said Mr Rotem. And these appeared to encode fingerprint patterns from a random selection of accounts in the Biostar 2 dataset.

They then used Suprema's software to convert about half a dozen examples into visible fingerprint patterns.

From this, they estimated the dataset contained "at least over a million" fingerprint patterns in total.

"We have evidence that biometric data was leaked," Mr Rotem told BBC News.

"We did not download everything, because it would be unethical."

Following the publication of VPNMentor's report on the data exposure, some had questioned the extent to which real fingerprint data had been accessible.

However, a security researcher at University College London who was not involved in the work done by Mr Rotem and his team said he understood why the researchers did not download the full dataset, given there may be ethical and legal implications in doing so.

"If they see a million files and they download 100 at random, there's a good reason to believe the rest have that data as well," said Dr Steven Murdoch.

"They're limiting the privacy invasion for legal and ethical reasons.

"They've identified a problem - the scale is actually something for the regulator to sort out."