A facial-recognition company that contracts with powerful law-enforcement agencies just reported that an intruder stole its entire client list, according to a notification the company sent to its customers.
In the notification, which The Daily Beast reviewed, the startup Clearview AI disclosed to its customers that an intruder “gained unauthorized access” to its list of customers, to the number of user accounts those customers had set up, and to the number of searches its customers have conducted. The notification said the company’s servers were not breached and that there was “no compromise of Clearview’s systems or network.” The company also said it fixed the vulnerability and that the intruder did not obtain any law-enforcement agencies’ search histories.
Tor Ekeland, an attorney for the company, said Clearview prioritizes security.
“Security is Clearview’s top priority,” he said in a statement provided to The Daily Beast. “Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security.”
The firm drew national attention when The New York Times ran a front-page story about its work with law-enforcement agencies. The Times reported that the company scraped 3 billion images from the internet, including from Facebook, YouTube, and Venmo. That process violated Facebook’s terms of service, according to the paper. It also created a resource that drew the attention of hundreds of law-enforcement agencies, including the FBI and the Department of Homeland Security, according to that report. In a follow-up story, the Times reported that law-enforcement officials have used the tools to identify children who are victims of sexual abuse. One anonymous Canadian law-enforcement official told the paper that Clearview was “the biggest breakthrough in the last decade” for investigations of those crimes.
The notification did not describe the breach as a hack. David Forscey, the managing director of the no-profit Aspen Cybersecurity Group, said the breach is concerning.
“If you’re a law-enforcement agency, it’s a big deal, because you depend on Clearview as a service provider to have good security, and it seems like they don’t,” Forscey said.
Facial-recognition technology—which matches photos of unidentified victims or suspects against enormous databases of photos—has long drawn intense criticism from privacy advocates. They argue it could essentially mean the end of personal privacy, especially given the proliferation of security cameras in public places. Some law-enforcement officials, meanwhile, see it as a tool with enormous potential value.