Controversial facial recognition software startup, Clearview AI, this week revealed that they had their entire client list stolen by someone with “unauthorized access”.
As first reported by The Daily Beast, the data accessed included Clearview’s customer list, the number of accounts each customer has, and the number of searches those customers had made. The company’s attorney, Tor Ekeland, said that the bug that allowed the breach to occur has since been patched.
The company, whose facial recognition solution allows law enforcement to scrape data from across social media platforms, is by no means a stranger to controversy. It’s currently under investigation by the Privacy Commissioner of Canada.
It has also been under fire from privacy experts following the discovery that Toronto Police Services were using the app without the police chief’s knowledge.
One cybersecurity expert, Brian Warehime, the principal threat researcher at ZeroFOX, wrote in an emailed statement that such a breach should have been preventable with regular security checks.
“Although these services offer data storage capabilities, a good threat model assumes that they are publicly accessible, and then a security department should review how to limit exposure. Consistent scanning of your assets/buckets to audit against this model is a necessity,” said Warehime. “Any breach, regardless of what data was leaked, is likely to have lasting impact, and this holds true for something as sensitive as a client list for a controversial company like Clearview AI.”
According to previous reports, the company’s clients include law enforcement agencies from all across North America, including the FBI and Homeland Security.