Incident Details

Incident: Exposed Database of Chinese Facial Recognition Company Leads to Privacy Breach

Published Date: 2019-02-13

Postmortem Analysis
Timeline	1. The software failure incident of the exposed SenseNets database happened in July 2019 [80997].
System	The system that failed in the software failure incident reported in Article 80997 is: 1. SenseNets' facial recognition database security system [80997]
Responsible Organization	1. SenseNets, the Chinese facial recognition company, was responsible for causing the software failure incident by leaving its database exposed online without proper protection [80997].
Impacted Organization	1. Individuals whose information was exposed, including their ID card number, address, birthday, and locations [80997].
Software Causes	1. Lack of password protection on the database, allowing unauthorized access to sensitive information [80997].
Non-software Causes	1. Lack of password protection on the database, allowing unauthorized access to sensitive information [80997].
Impacts	1. The exposed database led to the compromise of sensitive personal information of millions of people, including their ID card numbers, addresses, birthdays, and locations where they were spotted by facial recognition technology [80997]. 2. The incident raised concerns about potential security threats, such as burglary and social engineering attacks, as malicious actors could track individuals' movements in real-time based on the data available in the unprotected database [80997]. 3. The exposed database included records of locations like police stations, hotels, tourism spots, parks, internet cafes, and mosques, potentially compromising the security and privacy of individuals frequenting these places [80997]. 4. The incident highlighted the risks associated with the widespread use of facial recognition technology in China, where surveillance is pervasive, and citizens' behaviors are monitored through facial recognition for purposes like assigning social credit scores [80997]. 5. The incident underscored the criticism of facial recognition technology as an invasion of privacy, allowing government agencies to track individuals without their consent, raising concerns about the misuse of such technology for surveillance and control [80997].
Preventions	1. Implementing proper access controls and authentication mechanisms to ensure that databases are protected with strong passwords [80997]. 2. Conducting regular security audits and vulnerability assessments to identify and address any potential weaknesses in the system [80997]. 3. Encrypting sensitive data stored in the database to prevent unauthorized access even if the database is exposed [80997]. 4. Responding promptly to security warnings and notifications from external researchers or organizations to address any vulnerabilities before they are exploited [80997].
Fixes	1. Implement proper access controls and encryption measures to secure the database, ensuring that it is not left exposed online [80997]. 2. Regularly conduct security audits and vulnerability assessments to identify and address any potential weaknesses in the system [80997]. 3. Establish a response plan for incidents of data exposure or unauthorized access, including promptly addressing any reported vulnerabilities or breaches [80997].
References	1. Victor Gevers, a Dutch security researcher with the GDI Foundation [80997]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization	(a) The software failure incident having happened again at one_organization: The incident of a Chinese facial recognition company, SenseNets, leaving its database exposed online is a clear example of a software failure within the same organization. The security researcher Victor Gevers discovered that SenseNets failed to protect its database with a password, exposing sensitive information about millions of people [80997]. (b) The software failure incident having happened again at multiple_organization: There is no specific information in the provided article indicating that a similar incident has happened at other organizations. Therefore, it is unknown if this software failure incident has occurred at multiple organizations.
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase can be attributed to the failure of SenseNets, a Chinese facial recognition company, to properly secure its database. The incident occurred because the company failed to protect the database with a password, leaving it exposed online and accessible to anyone. This failure in the design of the system's security measures led to the exposure of sensitive information about millions of people, including their ID card numbers, addresses, birthdays, and locations where the facial recognition technology had spotted them [80997]. (b) The software failure incident related to the operation phase can be seen in the misuse of the exposed database. The database, which contained over 2.5 million records on people and their movements, was left wide open for viewing by anyone. This operational failure allowed for the tracking of individuals' movements in real-time based on the facial recognition data collected by SenseNets. Additionally, the database being accessible to anyone meant that a malicious actor could potentially add or delete records from it, indicating a failure in the operational security measures of the system [80997].
Boundary (Internal/External)	within_system, outside_system	(a) within_system: The software failure incident involving the Chinese facial recognition company SenseNets was primarily due to factors originating from within the system. The incident occurred because the company failed to protect its database with a password, leaving it exposed online and accessible to anyone. This failure to implement proper security measures internally led to the exposure of sensitive information about millions of people, including their ID card numbers, addresses, birthdays, and locations where the facial recognition technology had spotted them [80997]. (b) outside_system: The incident also involved external factors, such as the actions of malicious actors who could potentially exploit the exposed database. For example, the security researcher who discovered the exposed database noted that someone had previously attempted to hold the database ransom. Additionally, the widespread use of facial recognition technology in China, as part of government surveillance efforts, contributed to the broader context in which the incident occurred. This external environment of pervasive surveillance and potential privacy violations played a role in the software failure incident [80997].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in Article 80997 occurred due to non-human actions. The failure was a result of the Chinese facial recognition company, SenseNets, leaving its database exposed online without proper password protection. This allowed anyone to access the database containing sensitive information about millions of people, including their ID card numbers, addresses, birthdays, and locations where the facial recognition technology had spotted them. The exposure of the database was discovered by a security researcher, Victor Gevers, who found that the database had been available since July and contained over 2.5 million records on people. The incident highlights a failure in the company's security measures and the lack of proper safeguards to protect the data [80997]. (b) The software failure incident in Article 80997 can also be attributed to human actions. Despite being warned about the open database by the GDI Foundation, SenseNets did not respond to the request for comment or take action to secure the database. This lack of response and failure to address the security vulnerability in a timely manner can be considered a human action contributing to the incident. Additionally, the article mentions that someone had previously attempted to hold the database ransom, indicating potential malicious human actions targeting the exposed database. Overall, the incident involved a combination of non-human actions (lack of password protection) and human actions (lack of response to warnings and potential ransom attempts) that led to the software failure [80997].
Dimension (Hardware/Software)	software	(a) The software failure incident in Article 80997 was not directly attributed to hardware issues. The incident involved a Chinese facial recognition company, SenseNets, leaving its database exposed online due to a lack of proper security measures like password protection. This exposed sensitive information about millions of people, including their ID card numbers, addresses, birthdays, and locations where the facial recognition technology had spotted them. The incident was primarily a result of inadequate security practices in the software system rather than hardware issues [80997]. (b) The software failure incident in Article 80997 was primarily caused by software-related factors. The incident occurred because SenseNets failed to protect its database with a password, allowing unauthorized access to sensitive information. This highlights a software vulnerability that led to the exposure of millions of records on individuals, including their personal details and locations tracked by the facial recognition technology. The lack of proper software security measures and oversight contributed to this significant data breach [80997].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident in Article 80997 can be categorized as malicious. The incident involved a Chinese facial recognition company, SenseNets, leaving its database exposed online, which revealed sensitive information about millions of people. The database was not protected with a password, allowing anyone to access and track individuals based on real-time facial recognition data. Additionally, the security researcher who discovered the exposed database noted that someone had previously attempted to hold the database ransom, indicating malicious intent [80997].
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The intent of the software failure incident related to poor_decisions: The software failure incident involving the Chinese facial recognition company, SenseNets, leaving its database exposed online was primarily due to poor decisions made by the company. The database containing sensitive information about millions of people, including their ID card numbers, addresses, birthdays, and locations, was left unprotected without a password. This poor decision allowed anyone to access and track individuals based on real-time facial recognition data. Additionally, the database had been available since July, indicating a lack of proactive security measures by SenseNets [80997].
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident in Article 80997 can be attributed to development incompetence. The incident occurred because the Chinese facial recognition company, SenseNets, left its database exposed online without any password protection, allowing anyone to access sensitive information about millions of people. This lack of professional competence in securing the database led to a significant privacy breach [80997]. (b) Additionally, the incident can also be categorized as accidental, as it seems that the exposure of the database was not intentional but rather a result of negligence or oversight on the part of SenseNets. The security researcher who discovered the exposed database, Victor Gevers, reached out to the company to warn them about the issue, indicating that the exposure was not deliberate but accidental [80997].
Duration	permanent	(a) The software failure incident in this case appears to be permanent as the database of the Chinese facial recognition company, SenseNets, was left exposed online for an extended period of time. The database containing sensitive information about millions of people, including their ID card numbers, addresses, birthdays, and locations, was available since July and was discovered by a security researcher in February [80997]. The exposure of this database for such a duration allowed anyone to access and potentially manipulate the data, posing significant risks to the individuals whose information was stored in the database.
Behaviour	other	(a) crash: The software failure incident in the article does not involve a crash where the system loses state and does not perform any of its intended functions. The incident is more related to a security breach where sensitive data was exposed due to a lack of proper protection mechanisms [80997]. (b) omission: The incident does not involve the system omitting to perform its intended functions at an instance(s). Instead, it is about the exposure of a database containing sensitive information due to a lack of security measures [80997]. (c) timing: The failure is not related to the system performing its intended functions correctly but too late or too early. It is more about the lack of security measures leading to the exposure of sensitive data [80997]. (d) value: The software failure incident is not about the system performing its intended functions incorrectly. It is more about the lack of proper protection mechanisms resulting in the exposure of sensitive information [80997]. (e) byzantine: The incident does not involve the system behaving erroneously with inconsistent responses and interactions. It is primarily about the security vulnerability that allowed unauthorized access to a database containing personal information [80997]. (f) other: The behavior of the software failure incident in the article can be categorized as a security breach due to the exposure of a database containing sensitive information, including ID card numbers, addresses, birthdays, and locations of individuals, as a result of the system not being properly secured with a password [80997].

IoT System Layer

Layer	Option	Rationale
Perception	None	None
Communication	None	None
Application	None	None

Other Details

Category	Option	Rationale
Consequence	property, theoretical_consequence	(d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving the Chinese facial recognition company SenseNets exposed a database containing sensitive information about millions of people, including their ID card numbers, addresses, birthdays, and locations where they were spotted by the facial recognition technology [80997]. This exposure of personal data could have led to potential theft of sensitive information, such as addresses and ID numbers, impacting individuals' property and data security. Additionally, the database being wide open for viewing by anyone could have allowed malicious actors to add or delete records, further compromising the security and integrity of the data [80997].
Domain	information	(a) The software failure incident reported in the article is related to the information industry. The incident involved a Chinese facial recognition company, SenseNets, leaving its database exposed online, which contained sensitive information about millions of people [80997]. The company offers facial recognition technology and crowd analysis, which could track people across cities and pick them out in large groups. The database exposed by the company included records on people's ID card numbers, addresses, birthdays, and locations where SenseNets' facial recognition technology had spotted them. This incident highlights a significant breach of personal information within the information industry.

Sources

Chinese facial recognition company left database of people's locations exposed - CNET - Published on: 2019-02-13
Article ID: 80997

Back to List