Artificial Intelligence company Clearview AI, who has created a facial recognition database from more than three billion photographs, has suffered a data breach. The company’s entire client list was stolen by intruders. Clients include law enforcement agencies and banks. Clearview AI has said they have fixed the flaw that allowed the data breach to happen.
Clearview AI’s attorney, Tor Ekeland, said that “unfortunately, data breaches are a part of life. Our servers were never accessed.” However, he emphasized that security is a top priority company. Ekeland added that Clearview AI continues “to work to strengthen our security.”
Clearview notified its customers “that an intruder ‘gained unauthorized access’ to its list of customers, to the number of user accounts those customers had set up, and to the number of searches its customers have conducted.” It also assured customers that there was no breach in its systems or network. It is important to note that the data breach was not described as a hack; nonetheless, the breach is still concerning.
“If you’re a law-enforcement agency, it’s a big deal, because you depend on Clearview as a service provider to have good security, and it seems like they don’t,” David Forscey, managing director of Aspen Cybersecurity Group, told The Daily Beast.
While the hacker was able to obtain Clearview’s customer list, it was not able to access any customer search histories. Clearview AI scraped over 3 billion photographs from sites including Facebook, Instagram, Twitter, and YouTube. Clearview has used the photographs to create a facial recognition database for law enforcement; it will allow them to match photographs of unidentified people to their online photos. Clearview AI keeps these photos in its database, even if the user has made their account private or deleted the account.
Sen. Edward Markey (D-Mass.) previously questioned Clearview about its product and sale to law enforcement. In response to the data breach Sen. Markey stated, “Clearview’s statement that security is its ‘top priority’ would be laughable if the company’s failure to safeguard its information wasn’t so disturbing and threatening to the public’s privacy,” said Senator Markey, a member of the Commerce, Science, and Transportation subcommittee. “If your password gets breached, you can change your password. If your credit card number gets breached, you can cancel your card. But you can’t change biometric information like your facial characteristics if a company like Clearview fails to keep that data secure. This is a company whose entire business model relies on collecting incredibly sensitive and personal information, and this breach is yet another sign that the potential benefits of Clearview’s technology do not outweigh the grave privacy risks it poses.”
Clearview AI has been at the forefront of a larger data privacy and cybersecurity discussion. Clearview AI faces a class action suit filed in January alleging it violated Illinois biometric privacy law. Other lawsuits against Clearview AI have also accused it of violating various state laws. Facebook and YouTube have both requested that Clearview cease scraping information from their platforms. New Jersey has banned law enforcement agencies from using the technology, while the state reviews it.
The breach could result in an increase of lawsuits for the company, given the data they have collected and the revelation of their once-hidden client list. While the company has portrayed the breach as minor, BuzzFeed has revealed that over 2,000 agencies have an account with Clearview. Federal agencies, including the Secret Service, FBI, ATF, and ICE, have all used the app to run thousands of searchers.