A facial recognition company that works with US law enforcement agencies has sent a notification to its customers that an "intruder" gained access to its entire client list.
New York-based Clearview AI told The Daily Beast that the breach also included figures for client accounts and searches.
The company gained notoriety in January after it said it harvested three million images from sites like Twitter and Facebook to power its facial recognition models.
That data is not thought to have been involved in the breach and the company said its systems and network had not been compromised.
However, its list of customers, some of which are reportedly high profile agencies such as the FBI, has been accessed.
Digital Risk Report 2020
A global view into the impact of digital transformation on risk and security management
"Security is Clearview's top priority," the company's attorney, Tor Ekeland, told The Daily Beast. "Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security."
Clearview gained notoriety after The New York Times ran a feature about its work with law enforcement agencies and how its facial recognition models were trained on three billion images from the internet. These, it said, were harvested from social media sites, YouTube and more. Twitter, and then later Facebook, sent cease and desist letters to the company requesting it stop harvesting its user data as it violated privacy policies.
The agencies it is said to work with include the FBI and the Department of Homeland Security. An anonymous Canadian law-enforcement official told The NYTs that for investigations into sexual abuse it was "the biggest breakthrough in the last decade".
While Clearview's attorney rightly pointed out that data breaches are a fact of modern life, the nature of its business makes this type of attack particularly problematic, according to Tim Mackey, a principal security strategist for Synopsys.
"I would encourage Clearview to provide a detailed report covering the timeline and nature of the attack," he said. "While it may well be that the attack method is patched, it also is equally likely that the attack pattern is not unique and can point to a class of attack others should be protecting against."
According to Forrester's senior analyst Kjell Carlsson, there is a high likelihood that Clearview's client list will get into the wrong hands and we will see cities across the globe finding out that their local law enforcement agencies were testing or using Clearview. This, he fears will start a backlash.
"We should evaluate these technologies on the basis both of ethics and efficacy and on both fronts Clearview scores poorly," he said. "There is an ethical way to do facial recognition and a non-ethical way, and Clearview very clearly chose a non-ethical way, creating a database of names, faces (and presumably other personal information) by scraping social media. Further, the little evidence on tests using Clearview suggests that it wasn't particularly effective with a high rate of false positives, relative to competitors.
"There will now be even more pressure on western tech giants not to invest in facial recognition, and it is wrong. It is far better that companies like Google, Microsoft, AWS and IBM offer facial recognition because they have the capabilities to do it well and the reputational-risk to ensure that it is done as ethically as possible versus companies like Clearview who can operate in the dark until a scandal brings them to the public attention."
