Controversial face recognition company Clearview AI suffered a major data breach this week that compromised data belonging to almost 2,200 organisations ranging from law enforcement authorities to private companies that were part of Clearview’s client list.
The client list of the company ranged from US Immigration and Customs Enforcement, the Department of Justice, the FBI, Macy’s, to thousands of government agencies who use the company’s software for facial recognition. The recent data breach is an alarming incident as information stored by it was supposed to be restricted to law enforcement agencies.
According to Buzzfeed, not only law enforcement and government entities but retailers like Walmart, Best Buy and Macy’s were in their compromised client list too as they had signed paid contracts to create a global biometric identification system. The report also highlighted that Clearview either sold or shared its software tool with several companies globally.
Clearview, which claims to provide tools to find names, addresses and personal information from scrapped images, recently faced legal challenges from companies like YouTube, Twitter, and Linkedin for gathering information from their platforms. Facebook has also asked the company to “stop accessing or using information from Facebook or Instagram.”
“Security is Clearview’s top priority. Unfortunately, data breaches are part of life in the 21st Century. Our servers were never accessed. We patched the flaw and continue to work to strengthen our security,” Clearview told BBC after the massive breach came to light.
Facial recognition technology can be used by criminals to profile innocent victims
In response to Clearview’s comment, Tim Mackey, principal analyst with security company Synopsys, told BBC that “while their attorney rightly states that data breaches are a fact of life in modern society, the nature of Clearview AI’s business makes this type of attack particularly problematic.”
He also told TEISS that “In cybersecurity there are two types of attacks – opportunistic and targeted. With the type of data and client base that Clearview AI possess, criminal organisations will view compromise of Clearview AI’s systems as a priority.”
“Facial recognition systems have evolved to the point where they can rapidly identify an individual, but combining facial recognition data with data from other sources like social media enables a face to be placed in a context which in turn can enable detailed user profiling – all without explicit consent from the person whose face is being tracked. There are obvious benefits for law enforcement seeking to identify missing persons to use such technologies for good, but with the good comes the bad.
“I would encourage Clearview AI to provide a detailed report covering the timeline and nature of the attack. While it may well be that the attack method is patched, it also is equally likely that the attack pattern is not unique and can point to a class of attack others should be protecting against,” he added.