News broke over the weekend that a webcam system that lets parents drop in and watch their children while at nursery school has written to families to tell them of a data breach. NurseryCam said it did not believe the incident had involved any youngsters or staff being watched without their permission, but had shut down its server as a precautionary measure.
<p>This breach shows the importance of acting speedily when any irregularities are spotted in a company’s systems. Thankfully this swift action has meant that the data was not used to cause any harm prior to the systems being taken down. </p> <p> </p> <p>All businesses that work with children in some way have a duty of care to ensure that their online safety is maintained, and to keep sensitive data private and stored securely.</p> <p> </p> <p>Simple steps can be put in place by any company that experiences a data breach to ensure it doesn’t happen again. This includes ensuring full visibility of company endpoint devices and securing cloud networks to prevent unwanted access to customer data. </p> <p> </p> <p>Having a company culture which prioritises cybersecurity and encourages business stakeholders to work regularly in partnership with IT and security professionals can also act as an effective preventative measure. When offering a service which involves holding sensitive data related to vulnerable people, such as children, having adequate cyber defences in place is of the utmost importance.</p>
<p>This case highlights the importance of proper procedures in design and implementation, particularly for a sensitive product/solution aimed at monitoring children. The current actions of the vendor are right in taking down the service until a solution can be implemented. Organisations would be well-advised to embrace secure-by-design practices to avoid similar incidents. They should also work closely with security professionals to identify issues sooner rather than later.</p>
<p>For anyone worried about privacy and invasion of one’s private space, having the initial thought of installing a form of security camera open to parents to log in to and check in on their kids is a very dual edged blade. You can choose this increased transparency but at the risk of privacy, and with a guaranteed invasion of privacy of concerned staff and kids. It’s also clear that a parent accessing a camera will of course also be able to see other children and parents in the space where cameras are installed. This is essentially something that would only fly in a country already so used in the ever present monitoring that it feels like normal everyday life, such as the UK. Any and all breaches are sad and unnecessary, but worrying about privacy when you deeply invade the privacy of others feels like a very special circumstance.</p>
<p>There have been many horror stories about internet connected baby monitors and security cams being accessed without the owner’s permission, so NurseryCam have certainly done the right thing by alerting their customers of this data breach and shutting down their servers as a precaution. Everyone whose details might have been compromised should swiftly reset their login details, while NurseryCam will work to solve the issue.</p> <p> </p> <p>In general, the advice is not to configure any security cameras to be accessed directly across the Internet. Although I’m frequent to point out the risks of connecting personal gear into vendor cloud infrastructures, cloud-based cameras do generally speaking provide an advantage over traditional IP cameras because users can access them through vendor apps without needing to publicly expose the cameras. Often times these devices do not accept any incoming connections which could be abused by hackers and instead solely connect to the vendor’s system to receive commands and relay data. Although this may seem like a clear reduction of attack surface, it is actually more accurately described as relocating the risk from home networks and ISP addresses to vendor infrastructures which may house data for millions of other users.</p> <p> </p> <p>My personal solution is to have security cameras and baby monitors which are only accessible from an internal home network or through an encrypted tunnel to the home network.</p>