LONDON - More than a million fingerprints and other sensitive data have been exposed online by a biometric security firm, researchers say. Researchers working with cyber-security firm VPNMentor say they accessed data from a security tool called Biostar 2. It is used by thousands of companies worldwide, including the UK’s Metropolitan Police, to control access to specific parts of secure facilities. Suprema, the firm that offers Biostar 2, said it was addressing the issue. “If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets,” a company spokesman told the Guardian. According to VPNMentor, the exposed data, discovered on 5 August, was made private on 13 August. It is not clear how long it was accessible. As well as fingerprint records, the researchers say they found photographs of people, facial recognition data, names, addresses, passwords, employment history and records of when they had accessed secure areas. Since news of the data exposure broke, some have questioned the extent to which real fingerprint data was made available. However, the cyber-security researchers say they stand by their research. Suprema said in a statement to the BBC it was aware of reports of the breach and was taking them “very seriously”. “[Suprema] is investigating the allegations in the press reports and will liaise with any appropriate third parties and/or individuals as necessary. “At this stage, it cannot make any further comment but will, if appropriate, issue a further press statement in due course, including corrections of any erroneous assertions in the reports to date.”

Among the UK organisations directly affected by the breach was Tile Mountain, a homeware retailer.

Biostar 2 was only used at the company’s head office in Stoke on Trent, IT director Colin Hampson said.

He said that since 26 February 2018 Tile Mountain had not been an “active client” of Suprema’s and had instead stored biometric data on its own secure internal servers.

“Despite Tile Mountain not being an active client of Suprema it is concerning that no contact was made to inform us that data may have been compromised - this could potentially have prevented Tile Mountain from carrying out its obligations under GDPR [General Data Protection Regulation],” he added.