The recent NurseryCam data breach reportedly exposed the information of parents using the webcam service, which allows them to watch live footage of their kids at nursery.
Said to be in use across 40 nurseries in the UK, the company believes that the breach did not allow unauthorised users to view the webcam footage, but it nevertheless had the potential to cause a substantial violation of privacy had action not been taken quickly. It is currently unclear how many users of NurseryCam have been affected.
The news comes following a public dispute between NurseryCam and a cybersecurity expert, who had reportedly identified holes in the company’s defences prior to the data breach. As a result, the incident undoubtedly raises questions about the strength of the cybersecurity measures used by the company, and perhaps also the general attitude towards data protection among employees.
The NurseryCam data breach – what happened?
The NurseryCam data breach was first made apparent to the company on 19th February, with the issue being dealt with not long after. NurseryCam reportedly had no reason to believe that unauthorised viewers had watched the webcam footage, but the server was temporarily shut down as a sensible precaution.
A “loophole” in the systems was reportedly discovered by a third party, which was understood to be compromising the information stored for parents’ accounts. The affected details may have included names, username and passwords, as well as email addresses, all of which may have fallen into the hands of unknown people.
Ignored warnings and near misses
In a stroke of luck, it seems that the person who obtained the private data has no intention to misuse it, perhaps making this a “near miss” kind of affair. The company director of NurseryCam claims that the person who the data was exposed to has expressed that he means no harm. In addition, the consultant who previously complained of NurseryCam’s alleged system insecurities is understood to have been in contact with the hacker who reportedly showed him a redacted version of the data that had been stolen.
The consequences of the NurseryCam data breach may have been much worse if a hacker with malicious intentions had been involved, and still could be if someone goes against the promises allegedly made.
NurseryCam’s director states that the system’s flaws are unconnected to those which were previously alleged by the cybersecurity consultant. However, it is worrying that NurseryCam failed to locate the insecurities which caused the data breach in any event, and that the consultant appears to have been largely proven right in his concerns.
In many comparable data protection breach examples, UK consumers have suffered as a result of companies failing to act upon cybersecurity warnings. The Equifax data breach, for which we are currently representing clients in a group action, occurred when hackers took advantage of a known cybersecurity vulnerability which the company failed to patch up.
Claiming for a data protection breach
In the age of the GDPR, companies cannot get away with loopholes or flaws in their systems. They have a duty to implement and monitor cybersecurity measures effectively, just as they have a duty not to disclose private data without permission.
Incidents such as the NurseryCam data breach cannot simply be blamed on the technology, as data controllers are ultimately in charge of the upkeep of cybersecurity technology.