Controversial facial recognition company Clearview AI Inc. has suffered a data breach, and the company’s advising customers that an intruder “gained unauthorized access” to its list of customers.

First reported today by The Daily Beast, the details of how the data breach took place were not disclosed. Clearview AI only said that the data included “the number of user accounts those customers had set up and… the number of searches its customers have conducted.” The company also said there was “no compromise of Clearview’s systems or network” and it has fixed the vulnerability.

“Security is Clearview’s top priority,” an attorney for the company said in a statement. “Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security.”

Clearview AI has been controversial because its scrapes publicly available images for its facial recognition software. That software is then sold to law enforcement agencies to identify people on closed-circuit television footage. Google LLC sent a cease-and-desist letter to the company earlier this month, while Twitter Inc. also demanded in January that the company stop collecting photos from its app.

If what Clearview AI says is true in that there was no compromise of the company’s servers, the logical conclusion would be that this could be yet another case of a company failing to secure an online database.

“The general contours of what has been reported seem to indicate that an unauthorized person was able to perform limited commands or queries against the server or database without the expected authentication,” Roger Grimes, data driven defense evangelist at security awareness training firm KnowB4 Inc., told SiliconANGLE. “It’s a very common type of attack caused by programming or configuration errors.”

Tim Mackey, principal security strategist at the Synopsys Inc. Cybersecurity Research Center, noted that given the type of data and client base that Clearview AI has, criminal organizations will view compromise of its systems as a priority.

“While their attorney rightly states that data breaches are a fact of life in modern society, the nature of Clearview AI’s business makes this type of attack particularly problematic,” Mackey explained. “Facial recognition systems have evolved to the point where they can rapidly identify an individual, but combining facial recognition data with data from other sources like social media enables a face to be placed in a context which in turn can enable detailed user profiling – all without explicit consent from the person whose face is being tracked.”

Calling out the lack of information in the disclosure, Tim Erlin, vice president of product management and strategy at cybersecurity company Tripwire Inc., added that “this notification provides very little actionable information for anyone involved or just trying to avoid the same mistakes. We’re likely to hear more about the extent of this breach as investigations uncover more data, and history tells us that it’s likely to expand in scope.”

Image: mikemacmarketing/Flickr