“The investigation is ongoing, and Suprema has committed to working with relevant regulators and other authorities, and to contacting affected parties with further information as it is found.”
Suprema has formally responded to the alleged security vulnerabilities discovered in its BioStar 2 access control system, acknowledging that unauthorized security researchers were able to access sensitive data, but insisting that the scope of the breach was exaggerated in earlier reports.
The reports revolved around claims from a pair of security researchers affiliated with the VPNMentor firm, who said that they were able to enter a publicly accessible server for BioStar 2 on August 5th, where they found unencrypted username and password data of BioStar 2 users as well as biometric information that had not been hashed. They said that the server was closed off on August 13th.
Now, Suprema President Young S. Moon has issued a statement acknowledging the breach while insisting that its impact was limited. “There are no indications that the data was downloaded during the incident based on the investigation to date,” he wrote, adding that the security incident “relates to a limited number of BioStar 2 Cloud API users.”
“The vast majority of Suprema customers do not use BioStar 2 Cloud API in their access control and time management solutions,” he wrote.
The Suprema chief executive also noted that the company has “engaged a leading global forensics firm to conduct an in-depth investigation into the incident,” and said that the firm has so far been able to confirm “that the scope of potentially affected users is significantly less than recent public speculation.”
The investigation is ongoing, and Suprema has committed to working with relevant regulators and other authorities, and to contacting affected parties with further information as it is found. But Young insists that its delivery of exemplary biometric solutions “remains our priority” as all of this unfolds.
August 21, 2019 – by Alex Perala