Choosing to give the budget-friendly, internet-connected home-security camera from Wyze Labs was an easy decision for holiday shoppers after the gadget landed on several top tech gift guides. But on Monday, Wyze executives said the information of 2.4 million customers had been exposed to the public.
Camera information, Wi-Fi network details and email addresses of customers were exposed from Dec. 4 to Dec. 27, the executives said.
The breach was made public by the Twelve Security blog on Dec. 26. Twelve Security is a consulting firm that works to create secure computing environments.
Executives at Wyze Labs were made aware of the data breach when a customer posted the blog post from Twelve Security on a Wyze online forum.
Wyze immediately began to audit its security protocols and found a second breach on Dec. 27, Dave Crosby, a co-founder of Wyze, said Monday. An investigation into the breaches is ongoing.
The indoor home-security camera was a popular gift for the holidays. This year, Wirecutter and CNN put the one made by Wyze Labs on their lists of top tech gifts. (Wirecutter is a review website owned by The New York Times Co.)
Wyze Labs offers a discreet, Wi-Fi connected camera at the budget price of $20. Other indoor cameras sold by Ring or Nest start at $60 or $200.
The first Wyze breach occurred after an employee created a flexible database to quickly pull user analytics, such as camera-connectivity rates, user growth and the number of devices connected per user, Crosby said.
That employee removed the security protocols on the new database, exposing customers’ personal information. Customers’ passwords were not saved on the breached database, so hackers could not access live camera feeds, said Dongsheng Song, a co-founder at Wyze.
“We didn’t properly communicate and enforce our security protocols to new employees,” Song said. “We should have built controls, or a more robust tool and process to make sure security protocols are followed,” he added.
Wyze executives said that the employee who made the mistake is still employed at the company.
“It was an accident,” Crosby said. “We are very, very sorry and taking it very seriously.”
Wyze plans to send an email to its customers Monday night detailing the first breach and the actions the company is taking to further protect their information, Crosby said.
At a time people expect to be connected around the clock, home indoor-security cameras are having a moment.
New parents want to keep their eyes on a fussy newborn. Pet owners want to make sure the family dog isn’t chewing through their closets when they aren’t home.
A cloud-enabled, Wi-Fi-connected home-security camera alleviates many of those worries. But the convenience of keeping tabs on things may create an opportunity for hackers.
“Consumers have zero control,” Jennifer King, the director of consumer privacy at the Center for Internet and Society at Stanford Law School, said Monday. “We are definitely at the point where if we want to change anything, we need regulation.”
In the past month, there have been several cases of hackers gaining access to indoor home-security cameras. In one case, a hacker called the child of a biracial couple a baboon. In another case, a hacker told a child that he was Santa Claus and called her a racial slur.
“The more all of this data goes on the cloud, the more vulnerable we are,” King said. “If the company isn’t necessarily practicing the best security practices you can do all you can and you’re still going to be exposed.”
The United States has yet to enact a consumer data-protection law and an independent agency to enforce it. Americans have the Federal Trade Commission (FTC), an agency that oversees policy privacy but has increasingly failed to police tech companies.
“The FTC is an old agency and they don’t have the same rule-making authority that an agency like the Environmental Protection Agency has,” King said.
Some senators have tried to create a space for consumer data to be protected by the FTC. In October, Sen. Ron Wyden, D-Ore., introduced the Mind Your Own Business Act. The bill would allow the FTC to impose fines for privacy violations and would make it a crime for companies to lie to regulators about their data practices.
While Congress has not passed federal legislation to provide consumers with protections against data breaches, all 50 states and Washington, D.C., Guam, Puerto Rico and the U.S. Virgin Islands have enacted laws that require companies like Wyze to make their customers aware of data breaches that involve their personal information, Riana Pfefferkorn, the associate director of surveillance and cybersecurity at the Stanford Center for Internet and Society, said in an email Monday.
“In recent years an increasing number of states have enacted data-security laws as well,” Pfefferkorn said. “Those laws require entities that hold personally identifiable information about a state’s residents to make reasonable efforts to secure that information — to prevent a breach from happening in the first place.”
Affected consumers often bring class-action lawsuits against companies for careless security practices.
“We can anticipate that Wyze will be hit with regulatory investigations and consumer lawsuits in the near future,” Pfefferkorn said.
Executives at Wyze said they understood that their customers’ trust is what keeps the company in business.
“Our whole business model is built on trust,” Crosby said.
Pfefferkorn said consumers should be conscious of how much cloud-enabled tech they truly need.
“Consumers should be wary of low-priced ‘smart home’ devices — what you save in money, you might pay for with a breach of your sensitive information,” Pfefferkorn said. “In addition, consumers should think twice about just how ‘smart’ they need, say, a scale to be anyway.”