Anatomy of a Breach

Anatomy of a Breach: Clearview AI — 3 Billion Scraped Photos and the Surveillance Company That Scraped the Internet

> series: anatomy_of_a_breach —— part: 134 —— target: clearview_ai —— photos_scraped: 3,000,000,000 —— then: client_list_stolen<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2020 13 min read
clearview-ai facial-recognition scraping surveillance privacy 3-billion-photos law-enforcement series
Breach #134

3 billion photos scraped from the internet. Then the company that scraped them was breached.

In January 2020, a New York Times investigation revealed that Clearview AI — a secretive startup founded in 2017 — had scraped approximately 3 billion photos from Facebook, Instagram, YouTube, Twitter, and millions of other websites to build a facial recognition database. The company sold access to this database to over 600 law enforcement agencies in the US, enabling officers to upload a photo of an unknown person and receive matches from the scraped dataset — effectively creating a surveillance capability that dwarfed anything previously available.

In February 2020, Clearview AI disclosed that its entire client list had been stolen in a data breach — revealing which law enforcement agencies, government departments, and private companies had purchased access to the facial recognition service. The double revelation — mass scraping of public photos combined with the theft of the client list — created a unique privacy crisis: not only were billions of people's photos in a surveillance database they had never consented to, but the list of organisations using that database was now also compromised. Multiple countries, including the UK (through the ICO), subsequently investigated Clearview AI and imposed fines for violating data protection law.

Data Scraping as Breach
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

When 'public' data is collected at scale, it becomes surveillance.

Public Photos ≠ Consent for Surveillance
Photos posted publicly on social media were scraped without consent and used for facial recognition by law enforcement. Under GDPR and the UK's Data Protection Act, mass scraping of personal data (including biometric data derived from photos) requires a lawful basis — which Clearview AI did not have for UK citizens. The <a href="https://ico.org.uk/action-weve-taken/enforcement/clearview-ai-inc/">ICO fined Clearview AI £7.5 million</a> and ordered deletion of UK citizens' data.
Client List Stolen
The theft of Clearview AI's client list revealed which agencies were secretly using the tool — creating political and legal exposure for those agencies. When a surveillance vendor is breached, its clients' use of surveillance tools becomes public. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for data exposure from third-party vendor breaches.
Biometric Data at Scale
Facial recognition data is biometric data — it cannot be changed if compromised. The creation of a 3-billion-photo facial recognition database represents an irreversible privacy violation at global scale. For organisations processing biometric data, our <a href="/penetration-testing/infrastructure">security assessments</a> evaluate biometric data protection controls.
Global Regulatory Response
The ICO (UK), CNIL (France), DPA (Italy), and the Australian Privacy Commissioner all investigated or fined Clearview AI — demonstrating that GDPR-era regulators will act against companies that scrape personal data without consent, regardless of where the company is based. <a href="/cyber-essentials">Cyber Essentials</a> and GDPR compliance require lawful data processing.
Lessons

Public data is not free data. And surveillance companies get breached too.

Clearview AI taught two lessons: first, mass collection of publicly available data for purposes the individuals did not consent to is a data protection violation under GDPR. Second, surveillance companies — like Hacking Team (2015) and NSO Group (2019) — are themselves breach targets, and their compromise exposes their clients' activities.

For UK organisations, Cyber Essentials and GDPR compliance require that data collection is lawful, proportionate, and consented. Our web application testing assesses whether your platforms are being scraped. SOC in a Box monitors for scraping activity against your web assets. And UK Cyber Defence provides incident response when data scraping or misuse is detected.

Data Protection

Clearview scraped 3 billion photos without consent. The ICO fined them £7.5 million. Is your data processing lawful?

<a href="/cyber-essentials">Cyber Essentials</a> addresses data protection. <a href="/penetration-testing/web-application">Application testing</a> detects scraping vulnerabilities. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for scraping activity.

Commission a Security Assessment Next: COVID-19 Remote Working
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2024

Anatomy of a Breach: Operation Cronos — International Law Enforcement Dismantles LockBit

Breach #182. On 19 February 2024, an international law enforcement operation — dubbed Operation Cronos — led by the UK's National Crime Agency (NCA), the FBI, and Europol, dismantled the infrastructure of LockBit, the world's most prolific ransomware-as-a-service operation. The operation seized LockBit's dark web leak site, obtained over 1,000 decryption keys, arrested multiple affiliates, and — in a display of counter-messaging — used LockBit's own website to publish information about the operation and the group's leader. LockBit had been responsible for over 2,000 attacks worldwide, extracting more than $120 million in ransom payments. The takedown was the most significant law enforcement action against ransomware in history.

lockbit operation-cronos
14 min read
Anatomy of a Breach 31 July 2022

Anatomy of a Breach: Twitter — 5.4 Million Users' Phone Numbers Exposed Through an API Vulnerability

Breach #163. In July 2022, it was confirmed that a Twitter API vulnerability — reported through Twitter's bug bounty programme in January 2022 and patched — had been exploited before the fix to scrape the personal data (including phone numbers and email addresses) of approximately 5.4 million Twitter users. The scraped data was offered for sale on a hacking forum. A larger dataset of 200 million Twitter email addresses subsequently surfaced. The breach followed the identical pattern of API scraping vulnerabilities that had affected Facebook (533M, 2021) and LinkedIn (700M, 2021) — proving that API enumeration and scraping remain persistent, industry-wide vulnerabilities.

twitter api-vulnerability
11 min read
Anatomy of a Breach 31 May 2019

Anatomy of a Breach: WhatsApp and NSO Group — A Missed Call That Hacked Your Phone

Breach #125. In May 2019, WhatsApp disclosed that attackers had exploited a buffer overflow vulnerability in its VoIP calling feature to install NSO Group's Pegasus spyware on targets' phones — simply by placing a call that the target did not even need to answer. The zero-click exploit affected approximately 1,400 users — including journalists, human rights lawyers, political dissidents, and diplomats. The breach exposed the growing market for commercial surveillance tools and raised fundamental questions about whether any smartphone can truly be considered secure.

whatsapp nso-group
14 min read
All Posts Get in Touch