Security researchers have uncovered a massive data breach at the Brazilian company Antheus Tecnologia, which produces and sells biometric solutions both in Brazil and internationally.
The data was discovered on an unsecured server including 76,000 unique fingerprints, emails from company employees, telephone numbers and more. The server did not store direct fingerprint scans, but the binary code that hackers might use to recreate them, with potentially harmful results.
Antheus Tecnologia stated in response to the report that the exposed fingerprints are public. However, they claimed that the captured data had been hashed, but that was not the case.
“The unsecured method in which Antheus Tecnologia stores information is rather alarming considering its importance. It’s even more alarming that Antheus Tecnologia was built and deployed by a security company,” writes Safety Detectives researcher and post author Jim Wilson.
“Instead of saving a hash of the fingerprint (that cannot be reverse-engineered), Antheus is saving people’s actual fingerprints through rudimentary encoding which can then be replicated for malicious purposes.”
The vulnerable server contained roughly 16 gigabytes of data, with 81.5 million records also including administrator login information, employee telephone numbers, email addresses and company emails. Brazil’s national Civil Identification System uses Antheus services for issuing driver’s licenses, and the access portal for onboarding new users is not secured with password protection, according to the report.
Safety Detectives emphasize the importance of fingerprint data, and keeping it secure, in the post.
The vulnerability is reminiscent of the OPM hack, in which a trove of unencrypted biometric records were stolen from the U.S. government agency. It also highlights the importance of liveness detection.
Post comments (0)