Dubai's Global Village reassures customers following 'fingerprint hack'

The live entertainment venue responds to reports that 15,000 fingerprints were among more than 1 million documents, from around the world, accessed by hackers

DUBAI, UNITED ARAB EMIRATES - OCTOBER 30, 2018. 

UAE Pavilion.

Global Village opened it's gates today to the public for its 23rd season.

(Photo by Reem Mohammed/The National)

Reporter: PATRICK RYAN
Section:  NA
Powered by automated translation

A major Dubai venue operator has said customers’ data has not been compromised following claims that 15,000 fingerprints it held had been easily accessed by hackers.

Global Village, which runs the popular Dubai entertainment complex open between October and April, said it “is currently not facing any security vulnerability”.

It made the statement after it was named as one of several companies affected by a leak of sensitive data held by an external security firm.

Researchers working with vpnMentor, a cyber security company, said they were able to access more than a million fingerprints, and other sensitive data such as account passwords and photographs, used by a security tool known as Biostar 2.

The platform is used by thousands of companies, including the largest police force in the UK, to control access to secure parts of facilities. Iffco, the food products group based in Dubai, was also named as one of the global businesses affected. Iffco did not respond to a request for comment.

"We can confirm that Global Village is currently not facing any security vulnerability," a company spokesman told The National.

“We do not collect any biometric data from our guests and visitors as only entry ticket barcodes are scanned once they enter Global Village.

“We are currently investigating this report internally and we will not be giving any further comments on it.”

The spokesman did not respond to further enquires as to whether it collected biometric data from people other than customers, for example staff or contractors, who are more likely to be affected given the typical uses of the security programme.

The researchers claimed they had been able to access large databases used by the Biostar 2 security systems.

The data they found could have allowed criminals make changes to security networks potentially allowing them to gain physical access to secure sites, such as security facilities and banks. Individuals could also be left open to identity and theft and fraud, they said.

“The potential for criminal activity and fraud is massive,” vpnMentor said, in a report detailing its findings.

“This is a huge leak that endangers both the businesses and organisations involved, as well as their employees.”

They pointed out that unlike passwords, fingerprints and other biometric data could not be changed, with leaks potentially affecting victims for life.

The data was publicly available, accessed through manipulating website addresses, the researchers said. They claimed that in total, 23 gigabytes of data containing nearly 30 million records were found exposed online. The data was made private on August 13, almost a week after vpnMentor said it alerted the security firm to its findings.

Suprema, the firm that builds and markets Biostar 2, said in a statement to the BBC News that it was aware of reports of the breach and was taking them "very seriously".

"[Suprema] is investigating the allegations in the press reports and will liaise with any appropriate third parties and/or individuals as necessary," the statement said.