Security News Survey – August 16, 2019

This week, we look at millions of exposed biometric records, thousands of compromised hotel guests, and 30-plus companies breached by the Capital One hacker.

It’s been a busy week on the data breach front, with several companies across the world making headlines for major security incidents. Let’s take a look at a few news items that stood out starting with a data breach resulting in the exposure of particularly sensitive data.  

Database leak exposes millions of biometric records

Nearly 28 million biometric records have reported been compromised due to a data leak traced back to Suprema, a security company used by police, banks, defense contractors, and other enterprises in the United Kingdom. Security researchers discovered that the data leak stemmed from Biostar 2, Suprema’s web-based biometric security system that provides access control to buildings. The system uses facial recognition technology and fingerprinting to identify users. Unfortunately, due to the nature of the data collected by Biostar 2, the data leak has resulted in the exposure of very sensitive and, unfortunately, unchangeable data. Compromised information includes fingerprints, facial recognition data, unencrypted names and passwords, and more of over one million individuals. Suprema was made aware of the security researchers’ findings and secured the database one week after being notified. 

Thousands of guest records exposed in Choice Hotels data breach 

This week, Maryland-based hospitality franchisor Choice Hotels International confirmed a data breach stemming from an unsecured MongoDB database. According to reports, a third-party potentially accessed and stole 700,000 Choice Hotels guest records containing names, email addresses, and contact information via an unsecured server that was publicly available without any authentication measures. When security researchers discovered the unsecured database, they also found a ransom note with a 0.4 Bitcoin demand, which is assumed to have been placed there by an automated script. The database was secured as soon as Choice Hotels was made aware. The company claims that the database belonged to a third-party vendor, which it will no longer be partnering with.  

Capital One hacker may have stolen data from 30 other companies

It looks like the other shoe is dropping for Paige Thompson, the hacker allegedly responsible for the Capital One breach that compromised sensitive data of more than 100 million Americans and Canadians. According to new court documents, Capital One is believed to be one of several companies—more than 30, in fact—that was breached by Thompson. U.S. officials are still in the process of identifying and notifying the companies to whom all data found on Thompson’s home server belongs to, but initial reports suggest that major financial institutions, telecommunications companies, educational institutions, and state government agencies may be on the list of victims. We’ll be keeping an eye out to see which companies have been impacted by Thompson’s extracurricular hack-tivities.