.png){kind=small}
What Happens When Access Management Systems Compromise Physical Security & Employee Privacy
Abstract
A global security risk has been uncovered due to misconfigured and exposed Access Management Systems (AMS) across multiple industries and regions. The widespread internet exposure of these systems reveals security issues affecting organisations worldwide, including critical sectors such as construction, healthcare, education, manufacturing, oil, and government entities. These vulnerabilities have led to the exposure of hundreds of thousands of highly-sensitive employee records including: personal identification details, biometric information, photographs, and work schedules. In addition, the physical security of thousands of organisations worldwide has been compromised. The potential for unauthorised entry into buildings and the ability to bypass physical security measures pose severe threats to organisational safety. Also, a high concentration of AMS exposure has been detected in European countries, the US, and the MENA region, indicating a broad-scale security lapse. The impact of these exposures varies from financial losses and regulatory penalties such as GDPR fines, to serious breaches that could lead to identity theft, unauthorised access, and confidential business disclosures.
Introduction:
This research conducted by Modat investigates exposure and misconfigurations in Access Management Systems (AMS) across multiple regions and industries, such as critical infrastructure and key verticals.
Comprehensive data analysis powered by the Modat Magnify platform identified significant exposure points. Highlights of these risks include inadequate configurations, outdated protocols, and insufficient monitoring mechanisms.
The findings emphasise the urgent need for robust security strategies to mitigate risks and strengthen AMS in critical environments. This study provides actionable insights to enhance resilience and reduce vulnerability exposure across different industries.
Key Findings
Misconfigured and exposed Access Management Systems (AMS) in different organisations around the globe. Widespread internet exposure of AMS across multiple countries indicates a worldwide problem.
Identified critical misconfigurations in key industries including construction, healthcare, education, manufacturing, the oil industry, and governments
Detected extensive exposure of sensitive employee data. Personal identification information, employee photographs, biometric data, work schedules, payslips, and complete facility control and access were all found.
Compromised physical security of multiple organisations. Access to buildings and bypasses of physical security are possible using the exposed and misconfigured AMS.
Detected a high concentration of vulnerabilities. These were shown in European countries, the US and the MENA region.
Observed varying impact types. Potential for data exposure, identity theft, unauthorised physical access, disclosure of confidential business operations, and widespread privacy violations affect thousands of employees globally which can result in GDPR fines.
Potential impacts on these organisations varies. From financial damages, and regulatory consequences, to real-world breaches.
NOTE: we will share this in more detail in a follow-up blog after responsible disclosure to the affected providers is fully completed.
Background
Access Management Systems are crucial in modern security and yet they can often present significant vulnerabilities. Some systems offer comprehensive access control features, but their network-connected nature can create potential attack vectors. The integration of IT and OT, though beneficial for business operations, may expose additional network entry area. The result is that this could cause enormous data leak points and physical security bypasses if not properly secured.
Biometric systems, while providing robust authentication, require careful attention to network and systems security and encryption to protect sensitive biometric data. Some automated systems use license plate recognition, which can be susceptible to spoofing attacks, if not implemented with proper verification protocols. These vulnerabilities underscore the importance of following cybersecurity best practices when deploying access management systems. Our research revealed concerning levels of internet exposure for these access management systems globally. Through extensive analysis, we identified numerous instances with misconfigurations and security vulnerabilities that could potentially compromise these assets and affect the overall security of owners' organisations. What was particularly concerning was the risk of unauthorised access to sensitive employee data and personal information stored within these systems. Following our findings, we immediately initiated a responsible disclosure process, contacting system owners directly to alert them of the identified risks and providing guidance for remediation. This proactive approach protects organisations and the employees from potential data breaches while maintaining ethical research standards.
Investigation Modat’s research team initiated this comprehensive investigation into the security landscape of AMS in early 2025. Using Modat Magnify, our team conducted global scanning and identified an unusual pattern of exposed access management interfaces in many countries.
As we delved deeper into our findings, we discovered that many of these systems inadvertently exposed sensitive information to the internet. What started as a routine assessment quickly evolved into a critical investigation as we uncovered the scale of potential data exposure. These systems contained extensive employee databases, including personal information, access logs, biometric data, and detailed facility access patterns.
The implications of these findings were significant - organisations ranging from small businesses to large enterprises had unknowingly left their access management systems exposed, potentially compromising not just their physical security, but also the privacy of their employees. Our team immediately recognised the gravity of the situation and worked diligently to notify affected organisations and provide guidance on how they can ensure the security of their systems.
This investigation highlighted the often-overlooked security issues that can arise in physical security systems when they intersect with digital networks. Thus, demonstrating how Modat's unique fingerprinting capabilities can play an essential role in building resiliency by identifying and mitigating these risks before they can be exploited by malicious actors.
Based on what we viewed on our platform and focusing mainly on access management tools used by companies and organisations (excluding devices found in residential buildings) we found more than 49k exposed devices related to access management and physical security.
Our global analysis revealed significant variations in the exposure of access management systems across different regions:
Italy emerged as a main focal point with an alarming 16,678 exposed systems, followed by Mexico with 5,940 and Vietnam with 5,035 instances
While the United States showed a moderate exposure level of 1,966 systems, other technologically advanced nations like Canada (1,040) and Japan (487) demonstrated relatively lower numbers of exposed systems.
The Netherlands was not immune to these security challenges, as our scans revealed 147 exposed systems.
European nations overall showed a mixed picture, with Spain registering 1,151 exposed systems and France reporting 517 instances, and other regions totalling approximately 50k devices indicating that even regions with strong data protection frameworks are not exempt from these security vulnerabilities.
Use Cases - Example of Findings
Employee Data Exposure:
In figure 6 and 7 we can see how one of these systems is exposing all available information about employees and the departments they belong to:
The examples below show another Access Management System that lets us see and alter the information of the employees including: full name, birthday, hire date, email, phone number. It is also possible to alter the employee picture which could be used to gain access to the building by creating new entries. Lastly, we can see which type of access is used by each of the employees (Biometrics or Card):
Figure 10 below illustrates another example where we can see employees personal information. Included are: the photo taken by the employee, their access time, and the building or floor they obtained access to.
Physical Access Control:
These types of devices are used to manage vehicle access. It allows its owners to control who can access the building and who cannot, tracks this access, and saves proof of the detected license plate. As can be seen below, any attacker can get access to this information and alter it by whitelisting or blacklisting a specific license plate. Also, they are able to get access to license plates of interest in very specific cases (government vehicles, etc.).
Conclusions & Recommendations
Our comprehensive analysis uncovered widespread misconfiguration issues across diverse industry sectors that raised significant privacy and security concerns. The affected organisations spanned critical industries like construction firms and the oil industry, with weaknesses in their security. From exposed employee access logs, logistics companies inadvertently revealed staff movement patterns and educational institutions exposing faculty credentials, to healthcare facilities with unsecured access management systems containing staff data, and manufacturing plants revealing detailed employee records, these are no small worries. These misconfigurations exposed highly sensitive personal information, including employee photographs, full names, identification numbers, access card details, biometric data, vehicle plate numbers, and in some cases, even complete work schedules and facility access histories. Particularly concerning was the discovery of exposed biometric templates and facial recognition data in several modern access control systems, which could pose serious privacy risks if accessed by malicious actors. The impact of something like this is felt at both an organisational and a human level. The scope and depth of exposed information varied by organisation but consistently included enough personal data to create significant privacy and security risks for the affected organisations and their employers.
It is bad practice to connect these systems to the internet. To avoid issues like these, owners can start by restricting access to these systems by placing them behind firewalls and VPNs, ensuring they are not directly exposed to the public web. Users should conduct regular security updates and patch management, since these are crucial to mitigating known vulnerabilities that attackers may exploit. It is important to ensure that default credentials are changed immediately, and access should be restricted. Continuous monitoring, including the internet exposure of your devices, will help with internal detection and response to suspicious activities. These measures can prevent unauthorised access, protect employee data, and maintain the physical security of the organisations' facilities.