Cyber Incident Victim: Clearview AI
Date:
Feb 2020
Location:
United States of America
Summary
A facial-recognition company experienced unauthorized access resulting in theft of its entire client list, including user account numbers and search counts, though its servers and search histories were not compromised. The firm addressed the vulnerability and reiterated security as a priority, but cybersecurity experts raised concerns about the adequacy of its protections given its role serving law enforcement agencies handling sensitive investigations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 26, 2020, facial recognition company Clearview AI notified customers that an intruder had stolen its entire client list, including details about the number of user accounts each client had established and the total number of searches those clients had performed. The company stated the attacker "gained unauthorized access" but emphasized its servers and network were not breached, with no compromise of law enforcement search histories. Clearview identified and patched the vulnerability responsible for the exposure, though it did not disclose the specific flaw or method of intrusion in its notification. The company’s attorney, Tor Ekeland, characterized data breaches as inevitable in modern operations while asserting security remained Clearview’s top priority. The incident occurred amid heightened scrutiny following a New York Times report revealing Clearview’s practice of scraping 3 billion images from platforms including Facebook, YouTube, and Venmo—actions violating Facebook’s terms of service.
The breach impacted Clearview’s reputation as a service provider to law enforcement agencies, including the FBI and Department of Homeland Security, which relied on its technology for criminal investigations such as identifying child sexual abuse victims. David Forscey of the Aspen Cybersecurity Group noted the incident undermined confidence in Clearview’s security practices, particularly concerning for agencies entrusting sensitive operations to the company. While no operational systems or search data were exfiltrated, the theft of client identities and usage metrics exposed the scale of Clearview’s law enforcement partnerships. The event unfolded against ongoing debates about facial recognition technology’s privacy implications, with critics warning of risks to personal privacy from mass surveillance capabilities. Clearview’s response focused on remediating the technical vulnerability without addressing broader concerns about its data collection methods or security governance raised by the breach.