Skip to main content

Adecco Says Data of Belgian Staff Affected by Suprema Leak

August 22, 2019

The Adecco Group told Belgium’s privacy regulator that the breach of a security platform run by South Korea’s Suprema ID Inc. compromised the biometric data of some 2,000 employees of its Belgian unit. A huge Data Breach regarding the GDPR.

GDPR data breach of Suprema’s BioStar 2 system affected data including fingerprints and facial recognition details of Adecco employees. The country’s data protection authority said in a statement Wednesday.

BioStar 2 is a web-based biometric security smart lock platform. A centralized application; it allows admins to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security apps, and record activity logs. As part of the biometric software, BioStar 2 uses facial recognition and fingerprinting technology to identify users.

The regulator said it’s in touch with Adecco to check the “seriousness of this breach.” However, a spokeswoman for Suprema declined to comment. Then, Adecco spokeswoman confirmed that staff data was compromised and that it is “investigating this supplier data breach.”

Suprema had tried to soothe concerns on Tuesday. They said in a statement that fewer users were at risk of having been affected than initially thought. “We launched an internal investigation and immediately closed the access point,” Suprema said. “In addition, we have also engaged a leading global forensics firm to conduct an in-depth investigation into the incident”

Once lost, data such as digital fingerprints are nearly impossible to retrieve. Cybercriminals, state-sponsored actors and terrorist organizations might be particularly interested in getting their hands on this sort of information, according to security experts.

“This concerns the loss of control of extremely sensitive data of no fewer than 2,000 people,” David Stevens, president of the Belgian watchdog, said in the statement. He said it’s their duty “to shed light on this.” Under General Data Protection Regulation, European-based companies are required to report a breach if there is a “high risk” of impacting personal data.

// //

If you want to contact us

Contact us