Cyber Incident Victim: NurseryCam
Date:
Feb 2021
Location:
United Kingdom
Summary
NurseryCam's IoT camera service was compromised, leading to a shutdown after unauthorized access exposed 12,000 users' personal data, including names, emails, and passwords stored in plaintext. The attacker published poorly redacted information online, enabling easy identification of affected individuals. Security researchers verified the breach and alerted the company, which had previously received multiple warnings about vulnerabilities such as insecure direct object references and publicly accessible servers, some of which were addressed following user reports.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 19, 2021, at 17:18 GMT, NurseryCam detected a cyber incident in its IoT camera monitoring service after being alerted by The Register. A hacker had contacted the publication earlier that day, claiming possession of credentials for 12,000 user accounts—including real names, usernames, email addresses, and passwords—and subsequently leaked the data online. Though the attacker initially appeared to have hashed passwords using the vulnerable SHA-1 algorithm, subsequent verification revealed the credentials had been stored and exposed in plaintext. The hacker’s attempt to redact sensitive information failed, enabling trivial identification of affected parents and their contact details. The Register and IoT security researcher Andrew Tierney independently validated the authenticity of the compromised credentials before notifying NurseryCam. In response, the company suspended its camera service on February 20 to implement security measures, with the system remaining offline through at least the publication date of the initial report. NurseryCam began notifying affected parents via email on February 20, with FootfallCam Ltd and Meta Technologies Ltd—the UK-based companies operating the service—acknowledging the breach. Director Melissa Kao stated the unidentified hacker had "acted responsibly" in disclosing the issue and confirmed remediation efforts were underway.
The breach followed multiple unresolved security warnings dating back years. A corporate FootfallCam customer disclosed having reported vulnerabilities over a four-year period, including a publicly accessible FTP server hosting verification videos that allowed browsing of other customers’ data through URL parameter manipulation—a clear insecure direct object reference (IDOR) flaw. Another NurseryCam user independently reported security weaknesses in 2020 but received an inadequate response from the company. Additional parents had alerted the firm to vulnerabilities in 2015 and 2019, though their specific concerns were eventually patched. The incident exposed sensitive personal information, created risks of unauthorized access to nursery surveillance feeds, and prompted immediate service disruption for customers. NurseryCam’s parent companies faced public scrutiny over their delayed response to longstanding security deficiencies despite repeated external warnings prior to the breach.