NurseryCam daycare monitor suffers data breach, according to UK media

A popular daycare camera system has come under cyberattack, according to numerous UK media sites. Initially reported by the BBC, then reported in detail via The Register, NurseryCam (which is owned by FootfallCam Ltd and Meta Technologies Ltd) has, in the words of the Information Commissioner’s Office (ICO), “reported a possible data breach.” NurseryCam is an Internet of Things (IoT) service that allows parents to check-in on a daycare where their children are. The idea is that, should a parent be concerned at any point that their child is not doing well in daycare, they can access the CCTV system to check on them. With over 15,000 users in the UK, a hack would be disastrous.

The Register claims in their report to have made contact with the hacker responsible. In the following excerpt, the hacker explains just what they gained from the NurseryCam attack:

A hacker contacted El Reg on Friday to say they had obtained real names, usernames, what appeared to be SHA-1 hashed passwords, and email addresses for 12,000 NurseryCam users’ accounts — and had then dumped them online.

Although this person claimed to have “redacted” those details, the redaction was so poor it was trivial to figure out the real names and contact details of NurseryCam’s parent users. El Reg, together with IoT security expert Andrew Tierney, verified that the credentials were genuine before notifying NurseryCam of the breach. The company began emailing parents the following day after taking its cameras offline.

What is concerning about this NurseryCam hack is that it was entirely preventable. The Register indicated that security-aware customers and InfoSec researchers have found vulnerabilities in the past. In one insane and very recent instance, gray hat hackers publicly disclosed vulnerabilities to FootfallCam Ltd. Instead of immediately taking action and patching the exploitable vulnerabilities, the company accused the individuals of extortion and threatened legal action. Going back to 2015, the company seems to have a pattern of trying to quash threat reports instead of doing the right thing and fixing the problem. By having a toxic relationship with the cybersecurity community and also apparently having vulnerable products, the company seemed to just be asking for a major incident.

This certainly qualifies as a significant incident, and quite honestly, a bizarre one.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Crucial cybersecurity expenses not getting the budget they deserve

While the more obvious cybersecurity expenses are crucial, it is important that you do not…

1 day ago

Action1: An enterprise cybersecurity cloud solution for IT admins

Sponsored by Action1Action1 is an enterprise cloud solution for IT admins responsible for ensuring corporate…

2 days ago

Want to cut your cloud costs? These startups have the tools to help

Many companies take to the cloud to save upfront costs, but continuous cloud computing expenses…

2 days ago

Microsoft Teams bug-bounty program: Help zap them and get cash

Microsoft has been upgrading Microsoft Teams at lightning speed, but new features often come with…

2 days ago

The emergency home office: Catastrophe or the future of work?

When the pandemic began, many thought working from home would be temporary. Guess what: It’s…

3 days ago

The dangers of offensive cybersecurity

Offensive cybersecurity can stop cyberattacks before they impair target systems or penetrate defenses. But beware…

3 days ago