NurseryCam, a webcam that lets parents watch their children while they are at nursery school, has suffered a data breach that caused the company to shut down its servers.
The UK-based NurseryCam told in an interview with BBC there’s no indication that any child or staff had been watched by an intruder. The company had shut down its servers as a precautionary measure. The service would remain suspended until security is restored.
What’s interesting is that the company also notified the Information Commissioner’s Office. Under UK law, the ICO must be notified of a breach within 24 hours if it has a “significant impact.”
NurseryCam said they had become aware of the breach around 5 PM (GMT) on Friday.
The perpetrator apparently communicated with the company management, as NurseryCam’s director Dr. Melissa Kao told BBC, “He stated he has no intention to use this to do any harm [and] wants to see NurseryCam raise the overall standards of our security measures.”
Commenting on the incident, she told that the bad actor used a “loophole” in the service’s system to obtain data from parents’ accounts including names, logins, passwords, and email addresses.
The company had been warned about security issues in NurseryCam. Andrew Tierney, a cyber-security consultant, contacted NurseryCam a couple of weeks prior to the incident and claimed to have found problems in its systems.
In fact, the hacker contacted Andrew Tierney and passed on a redacted copy of the stolen data. Consequently, Mr. Tierney contacted NurseryCam to offer his help in remediating the issue.
He claims he doesn’t know who that hacker is.
“I don’t know who this guy is,” he said. “But what I’ve done is send NurseryCam the weak points in its system that I had spotted over the last couple of weeks.”
Although Mr. Tierney denies he knows anything about the hacker, it is an interesting chain of events: he learns about the vulnerabilities and then someone hacks NurseryCam, and contacts Mr. Tierney.
In her turn, Ms. Kao does not believe the breach is related to the flaws that Mr. Tierney had brought to her attention.
NurseryCam’s director subsequently apologized for the incident: “NurseryCam sincerely apologizes to all our parent users and nurseries for the incident. We are very sorry.”