A company that develops and distributes fingerprint identification systems for enterprises has suffered a major data breach. Researchers have found that Antheus Tecnologia, which is a Brazil-based employee identification company, leaked data of more than 81.5 million employees.
Antheus Tecnologia suffers a major data breach
This leaked data includes employees’ work e-mail addresses, mobile numbers, and 76,000 unique fingerprints. Cybercriminals could use this data to forge fingerprints, gain unauthorized access to the system, and commit identity fraud.
Researchers at SafetyDetectives discovered a major data leak and security flaws an Antheus log server in Brazil. Upon investigating further, a team led by Anurag Sen found out approximately 2.3 million data points in total. Based on their discovery, researchers estimate that 76,000 unique fingerprints could have been stolen.
The Antheus server contained approximately 16GB of data exposing sensitive information such as identification and biometric details of hundreds of thousands of employees.
Researchers further examined an identity server of the firm that handles the registration of new users. The database also contained fingerprint information in at least two indices. Meanwhile, the face recognition database also showed a sign of vulnerabilities.
“In parallel to the biometric data breach, Antheus Tecnologia also has another related vulnerability which we noticed during our investigation.”
“The company provides services to a national Civil Identification System in Brazil used to issue driving licenses although the access portal used for onboarding new users is not secure given the lack of password protection.”
In what appears to be an unusual methodology, the vulnerability in the Antheus identity server allows users to take control of its system and register new users, further leaving the database exposed to cybercriminals.
According to researchers, cybercriminals could then recreate or find a method to reverse-engineer a biometric image map for a particular fingerprint.
Sensitive biometric data such as facial recognition, retina scans, and fingerprint information are permanent and cannot be changed. If stolen or misused, it could result in identity fraud and other serious crimes caused by impersonation.