According to a notification sent to its clients, facial recognition company Clearview has full client list stolen by intruder.
Clearview describe their service as 'technology to help solve the hardest crimes'. But this time, they are on the receiving end of a breach.
The company notification explains that client information was stolen by a thief who had "unauthorised access", allowing them to take so much data.
The intruder gained access to:
- Its list of customers
- The number of user accounts those customers had set up
- The number of searches its customers have conducted
Clearview do not describe the activity as a hack, and reassured clients that the company's servers were not breached.
An attorney for the company, Tor Ekeland, says: "Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security".
Crucially, Clearview works with law-enforcement agencies, so security is one of their main concerns. As confidential data could be at risk, there is a lot at stake.
Roger Grimes, data-driven defense evangelist at KnowBe4, warns: "Getting not only the customer list but some limited information, such as the number of searches that a particular customer performed, has value".
He adds: "As a minimum, that customer list can be sold to competitors who can then offer similar services with steep competitive discounts to gain market-share.
"It might also be used in a sophisticated spearphishing campaign, where membership can be tied to specific phishing attempts which appear to have insider information.
"Any bits of private information and knowledge, such as account names, that can be used within a spearphishing email make that email seem more realistic and more able to fool a higher percentage of people".
Tim Erlin, VP at Tripwire, is sceptical about the usefulness of Clearview's communication post breach: "This notification provides very little actionable information for anyone involved or just trying to avoid the same mistakes. A breach like this just adds fuel to the fire for Clearview's critics".
Cyber security specialist at ESET, Jake Moore, has advice for organisations going forward: "Data stored should always be heavily encrypted to protect against threat actors, even in the case it gets released or exposed in a hack.
"Especially with Clearview AI’s breach in mind, we must remember that every data breach is serious – and if the data exposed this time had included faces, it would have taken the breach to the next level.
"When companies are entrusted with extremely sensitive data, such as personal information like facial identities, they need to take on the responsibility seriously, and understand that they are a higher-profile risk. This should mean adding extra layers of protection to guard against attacks, even if these seem inevitable.”
There will always be a risk of information leaks in today's digital age. The question is, how can organisations make their data more secure, protect data privacy and prevent harmful breaches in the future?