The controversial facial recognition company Clearview AI has notified its customers that a bad actor had “gained unauthorized access” to its entire customer list, which includes some of the most powerful law enforcement agencies in the United States. According to the notification obtained by the Daily Beast, the stolen information includes customer names, the user accounts that the customers had set up, and even the number of searches that they ran through the service.
Details are rather sparse about the nature of the incident and it's not immediately clear how it unfolded. Interestingly enough, however, Clearview AI denied that it had suffered a breach of its own servers.
“Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security,” Tor Eklund, an attorney representing the company, was quoted as saying.
The startup also gave assurances that the bad actors weren’t able to gain access to the search histories of any of the law-enforcement agencies using the system. Apparently, the image database was not accessed, either.
ESET Security Specialist Jake Moore shared his expert opinion on the matter: “Data breaches might be part of life in the 21st century but we need to make sure the severity is kept to a minimum and the data exposed is heavily encrypted. Any data breach is serious and should not be taken lightly. If the data exposed had included faces, it would have taken this to the next level.”
"Companies which hold extremely sensitive data such as facial identities need to understand they are a higher profile risk and need even more layers of protection to thwart these inevitable attacks,” he added.
Clearview AI has been in the spotlight after the New York Times wrote that the company had scraped over 3 billion images from social media such as Facebook, YouTube, and Twitter. The company received cease-and-desist letters from the affected tech giants, which claimed that Clearview AI had violated their terms of use. The company, which has also been hit with class-action lawsuits by American citizens, seems unruffled by the accusations and argues that it has a First Amendment right to scrape public data.
Facial recognition is a hotly discussed topic, especially due to the underlying privacy concerns and the potential for misuse of the technology. San Francisco, for one, was the first city in the United States to ban its use by law enforcement and local agencies. Meanwhile, the European Union mulled a temporary ban on the use of the technology in public places, but eventually backtracked on the idea.