Surveillance system with cameras for kindergartens reveals confidential data and lets everyone watch. The company gives in. But there were already gaps in 2015.
A surveillance camera system for kindergartens in the UK has to be shut down because a severe data breach threatens confidentiality. A security flaw in the surveillance system called NurseryCam exposes the credentials of the participating parents. First, the IT portal The Register reported about it.
Free access passwords
NurseryCam is installed in several kindergartens in the UK and allows parents to observe their offspring after being weaned there remotely. To do this, it uses several cameras and a digital video recorder (DVR). For this purpose, the company behind the FootfallCam surveillance system provides parents with login information. However, a severe security gap in the system has led to the fact that data from parental accounts can be read out at will – including username, password, real name and email address, reports The Register. The company then informed those affected and switched off its servers until the problem was resolved. Forty kindergartens in Great Britain are affiliated.
An unspecified person had made NurseryCam aware of the vulnerability and asked them to improve security. The company said the person – apparently a well-meaning ‘white hat’ hacker – had behaved “responsibly” and did not want to cause any damage to the data. Besides, the company believes that neither kindergarten children nor the staff were illegally observed but did not provide any evidence to support this assumption. The company calls the shutdown of the servers a precautionary measure, reports the BBC.
Administrator access for everyone
The company also informed the British Information Commissioner’s Office (ICO) about the incident. Firms in the UK are required to report data breaches of “significant impact” to the ICO within 24 hours. NurseryCam itself was informed of the security hole on Friday.
However, as The Register continues, the security of the camera system was previously noticeable. Everybody got administrator access via the associated mobile app and could bypass the registration as a user. The company has been informed of this as early as 2015 but downplayed the discovery and only closed this gap later.