The database vendor isn’t mentioned in the report but I think we can probably all guess the name.
Aside from that important fact, this report is about the dangers of centralizing biometrics into a singular place where a single mistake harms practically everyone in society. Not all, but some, and that’s more than enough to worry.
The publicly exposed database contained 1,661,593 documents with a total size of 496.4 GB. I saw documents containing: facial scan images, finger prints, signatures (in English and Hindi), identifying marks such as tattoos or scars, and much more. There were also scans of documents such as birth certificates, testing and employment applications, diplomas, certifications, and other education related files. Among the most concerning files were what appeared to be the biometric data of individuals from the police and military in verification documents. Upon further investigation, I saw documents indicating the records belonged to two separate entities which suggests they operate under the same ownership: ThoughtGreen Technologies and Timing Technologies, each of which provide application development, analytics, development outsourcing, RFID technology, and biometric verification services.
Fingerprints are public yet distributed very widely, in other words, if you think about how often and where you have been leaving yours… like on a glass at a restaurant.
However, having your fingerprints grabbed by someone pulling over 1.5 million other people’s fingerprints at the same time (due to a single database vendor on the Internet failing to achieve authentication) is a different issue.
Related:
Here’s a very similar story, where hacking the data service vendor Snowflake just led to a massive leak from many of their customers.
In the conversation with Hudson Rock, the threat actor reveals that there is much more to the story than these two breaches, and that additional major companies suffered a similar fate, allegedly including:
— Anheuser-Busch
— State Farm
— Mistubishi
— Progressive
— Neiman Marcus
— Allstate
— Advance Auto PartsFurther explaining the source of the hack, the threat actor adds that all of these breaches stem from the hack of a single vendor — Snowflake. […] To put it bluntly, a single credential resulted in the exfiltration of potentially hundreds of companies that stored their data using Snowflake, with the threat actor himself suggesting 400 companies are impacted.
When a single employee can be compromised to give access to hundreds or thousands of customers, the Snowflake response probably shouldn’t be that context is needed.
Even worse is when they start saying that Snowflake wasn’t involved in any way with the massive theft of customer data from Snowflake. Uh huh.
Here’s what they allegedly are trying to snow reporters with:
On may 31st, Snowflake released a statement in which they claim that they are investigating an industry-wide identity-based attacks that have impacted “some” of their customers.
Industry-wide is another way of saying baseline.
What Snowflake inadvertently is saying is they fell below an acceptable baseline while being trusted to NOT do exactly that.
Watch the “who me, am I the baddie” Snowflake now try to point the finger at its customers, a known horrible idea and safety anti-pattern. Like blaming bank customers for the vault being robbed of their money. Or blaming Tesla owners for being killed by the Autopilot.
That’s very bad news for some, even if not every single customer. It’s a lot more bad news than if Snowflake had done more to prevent a single employee compromise affecting so many customers, let alone turning a blind eye to widespread known threats that would very predictably harm their customers.
Negligence? Due diligence? You make the call. Every Snowflake customer now should be planning to exit that vendor to find better care, not least of all because of how Snowflake is responding.