NurseryCam data breach: Personal data records accessed by hacker

NurseryCam, a popular webcam service used by atleast 40 nurseries across the UK to help parents to keep a tab on their children, suffered a major security breach recently that exposed vast amounts of personal information to a hacker.

The security incident affected NurseryCam occurred due to a vulnerability in the webcam system that exposed details like names, email addresses, usernames, and passwords to unauthorised access.

Footfallcam Ltd., the company that owns NurseryCam, said that the security incident did not expose any footage of any individual, youngsters or staff, being watched without their permission. Dr Melissa Kao, director of Footfallcam Ltd., said that "the person who identified the loophole has so far acted responsibly. He stated he has no intention to use this to do any harm [and] wants to see NurseryCam raise the overall standards of our security measures."

NurseryCam came to know about the security incident on Friday evening and notified the Information Commissioner’s Office (ICO) about the incident. Also, as a precautionary measure, Footfallcam Ltd. shut down the NurseryCam server to control further damage and will resume services once the vulnerability is patched.

Footfallcam Ltd. advertises NurseryCam as a secure webcam service that allows parents to see live images of their children in childcare centres and day nurseries securely. It was found in 2002 by sisters Liz Makins and Jo Callaghan to enable parents to keep tabs on their children in nurseries and day care facilities.

Footfallcam Ltd. faced similar allegations of poor security controls earlier when parents alleged that the application had security vulnerabilities and anyone who downloaded the mobile app could view admin credentials without going through an authentication process.

Security researcher Andrew Tierney contacted the hacker and offered his help to NurseryCam to resolve the security snafu. “These issues would allow any parent, past or present, to access the video feeds from the nursery. There is also the chance that anyone on the Internet could have accessed them. I don't know who this guy is but what I've done is send NurseryCam the weak points in its system that I had spotted over the last couple of weeks,” he added.

Ms Kao has issued a public apology and has stressed that the security vulnerability is not related to the previous allegation brought against the company. "NurseryCam sincerely apologises to all our parent users and nurseries for the incident. We are very sorry," she added.

Commenting on the security flaw affecting the webcam service, Sam Curry, Chief Security Officer at Cybereason, said, "Kudos to the white hat hacker that stepped forward after discovering the vulnerability and to NurseryCam for its transparency in disclosing the security flaws in its webcams. It is important that NurseryCam didn't try to play the victim card as no one will want to hear it.

"There is an easy solution and it is fixing the security flaws in the system as soon as possible. Similarly to the NurseryCam vulnerability, there have been many headlines over the years regarding baby monitor hacks that led to homes being scanned and unidentifiable voices speaking to babies or shouting expletives.

"That being said, the vast majority of baby monitors don't get hacked and parents need not worry about the safety of their children. I am confident NurseryCam will take the proper steps to reduce risks in the future so that parents can have peace of mind knowing that no unauthorised people are eavesdropping on their children," he added.

Private webcams, and indeed many other Internet-connected devices, have previously been found lacking strong security controls to prevent the leakage of stored data or to defend against vulnerability exploitation by malicious actors. Earlier, Avishai Efrat, working as a white hat researcher for WizCase, discovered the presence of as many as 15,000 internet-connected private webcams sold by multiple companies worldwide that could be accessed by anyone with an Internet connection because of their lack of security protections.

Efrat found that these vulnerable private webcams belonged to various device types such as AXIS net cameras, Cisco Linksys webcam, IP Camera Logo Server, IP WebCam, IQ Invision web camera, Mega-Pixel IP Camera, Mobotix, WebCamXP 5, and Yawcam.

This is because these devices featured easily predictable and standard default credentials for admin access that could easily be second-guessed by cyber criminals. Once admin access was obtained, a hacker could not only view private videos recorded by these webcams, but could also manipulate them, edit their settings, and gain additional privileges.

All the affected private webcams were being used by individuals, businesses, private institutions, places of worship, and other organisations in a large number of countries, including the UK, USA, Germany, France, Australia, Canada, Spain, and Japan.