
Facial recognition company Clearview’s client list stolen by “intruder” - zigzaggy
https://www.thedailybeast.com/clearview-ai-facial-recognition-company-that-works-with-law-enforcement-says-entire-client-list-was-stolen
======
_nickwhite
From the article:

"Security is Clearview's top priority," he said in a statement provided to The
Daily Beast. "Unfortunately, data breaches are part of life in the 21st
century. Our servers were never accessed. We patched the flaw, and continue to
work to strengthen our security."

Servers never accessed? Then how was the client list stolen? Was a paper copy
stolen from a filing cabinet? I find this posture somewhat arrogant and
dismissive. Also, the article is light on technical details- does anyone have
info on what flaw was exploited and patched?

~~~
jjoonathan
Could the "intruder" have been Joe from sales who came back the night he was
laid off using his secondary keycard, which IT hadn't quite gotten around to
deactivating yet, and grabbed his old rolodex?

~~~
spacec0wb0y
And how was Joe "patched"

~~~
reaperducer
With extreme prejudice.

~~~
rezgi
The only way to patch.

------
vorpalhex
World's smallest fiddle. I hope they get the ever living snot sued out of them
so they understand they can't throw security to the four winds and just swim
around in their profits. They were reckless and irresponsible in assembling
that data and I have no doubt they were reckless and irresponsible in storing
it.

~~~
Thriptic
Agreed. Maybe if the company wasn't doing the things they were doing they
wouldn't have been targeted. I have about as much sympathy for them as I do
for Hacking Team, FinFisher, et al after their respective breaches.

------
vic-traill
I apologise for a low value comment, but I can't resist the opportunity:

Did Clearview get a picture of the 'intruder'?

------
mzs
some earlier discussion:

>The firm drew national attention when The New York Times ran a front-page
story about its work with law-enforcement agencies. The Times reported that
the company scraped 3 billion images from the internet, including from
Facebook, YouTube, and Venmo. That process violated Facebook’s terms of
service, according to the paper. It also created a resource that drew the
attention of hundreds of law-enforcement agencies, including the FBI and the
Department of Homeland Security, according to that report. In a follow-up
story, the Times reported that law-enforcement officials have used the tools
to identify children who are victims of sexual abuse. One anonymous Canadian
law-enforcement official told the paper that Clearview was “the biggest
breakthrough in the last decade” for investigations of those crimes.

[https://news.ycombinator.com/item?id=22424828](https://news.ycombinator.com/item?id=22424828)

[https://news.ycombinator.com/item?id=22426599](https://news.ycombinator.com/item?id=22426599)

------
gsich
>Unfortunately, data breaches are part of life in the 21st century.

They are not. Just don't collect the data in the first place.

~~~
the_snooze
21st century tech companies: "If we fuck up, too bad for you." All the
profits, none of the responsibility.

~~~
Ididntdothis
That’s the whole idea behind the term “identity theft”. They are too cheap to
set up proper systems so let’s just move the problem to the customer.

~~~
NortySpock
The proper title is, of course, "identity fraud" or "bank fraud" at a bank,
where the fault is on the part of the bank to prove that you are you, not on
the consumer to "protect" their information that someone else lost.

------
bilekas
> “Security is Clearview’s top priority,”

Clearly...

~~~
ceejayoz
"Everything in JIRA is the default 'medium'."

------
privateSFacct
I know not popular, but set your email and other retention periods to a
relatively short time frame - even a year or two drops tons of sensitive data
off. Flag important or file elsewhere for stuff you want to keep.

~~~
css
This is often not legal. For example, Sarbanes Oxley requires seven years
retention for public companies in the US[0]. Depending on industry it can be
higher; I believe some financial segments are required to retain email
indefinitely.

[0]:
[https://www.sec.gov/rules/final/33-8180.htm](https://www.sec.gov/rules/final/33-8180.htm)

------
SEJeff
No doubt the same "intruder" who hacked the Office of Personnel Management a
few years ago.

