No GDPR Penalties For UK Swann 'Spying Hack'
The UK’s data protection agency has closed its investigation into Infinova-owned Swann Security UK, the ICO confirmed to IPVM, deciding to take “no further action” after customers unintentionally received video from different users in separate incidents earlier this year.
These data breaches received substantial media attention in June/July 2018, such as:
- The BBC - Swann's home security camera recordings could be hijacked: A popular wireless security camera designed to safeguard businesses and homes was vulnerable to a spying hack.
- The Inquirer - Swann camera customers report receiving the wrong footage
- Daily Mail - 'Anyone could have seen where we put our money!': Pub owner slams security firm Swann
This took place after the arrival of the GDPR - broad new European privacy regulations which include the prospect of heavy fines for such incidents.
In this note, we examine what happened, the UK’s response to IPVM, and what the GDPR implications are for manufacturers and sellers of IoT devices such as video surveillance.
What ********
** ****,*** *** ************ *** ** *** ******** *** owned * ***** ****** ******* ********* video **** * ********’* ******* ** her ********** ***. *** *** ***** a **** ******* ********, **** **** in ***, **** * ********* ***** customer ********** ** ******* ** ********* video **** ** ******* ***.
***** ***** **** ********, ******* *** first ** * ************* ***** *** the ****** ** ********* ***** *********** being **** *** **** *******.
** * ******** ****,** *** ******* **** ***************“************ ******** ***** ***** **** *** camera ** *******” ** *****’* ***** service, ********* “********* ****** ** ******’* camera.” ***** **** ***** **** *****, which *** *** ****** ** ******'* personal *********** ***** ********.
ICO ************
** *** **, ****** *** **, a ****** ******** ****** – ************** ************’* ****** ** ***- ******** *** **** ********** *******. It ************ *** ***** ******** ******** reported ** *** *** *** ******* months, ********* **** **** **** **** the **** *** **** *******:
*** **** ********* ***** ************** (******) Limited *** **** ****** **** ** further ******. *** **** ** ********* being ****** ** *********** *** ********** low *** ** **** ********* *** company *** ********** *** *** ************ sufficient ******** ***** ***** ********** *** own *************
GDPR ********** *****
***** **** ******** **** ***** ***** the ************** ** *** ** ** the **’* *** **** ******* *****, the ****, ***** ****** *** **.
*** ********* **** ***** ********** ** GDPR ********** **** ********* **’* *************** “******* ******** **** *** *** made ********** ******* *** **********’* ************ to ** ********** ****** ** ******* persons.”
************* *** *********** ***** **** ******* about ****** ***** **** ********* ** they *** ******** ** ********, ***** the******* ******** ** ** ** ** ******* euros ** *% ** ********* *******.
How ***** ******* **** *********
*******, *** ***’* ******** *** ** sanction ***** ***** ****, ** ***, fears ** ******** *** ***-******** **** fines *** ** ***** ************ ********* are *********.
*** **** ****** ***** *********** ****** to ******** *********** **** ** ***** to ******** ******* ** *** ** punish *********.******* ** **** ************** *** ****** *** “***********,” ******* there *** * “******* ** **** measures ** ******** *** ****** ***** occurred,” *** ******* ***** *** * “lack ** ************* **** ***********”.
** ****** *** ***** *** *********** with ***********, ***** *** **** ** avoid ********* **********.
GDPR ************
************* ****** *** **** **** **** as ******** **** *** **** ** toothless. ***-**** ********* ****** ********, ***** a *** ****** **** ****** ** Swann’s ***** *** **** *** ****** only ******** * *** ******, **** of **** ***** *** ********** *** compensation ** ******* ************ **.
************, *** ***** **** **** **** establish * ********* ********* ** ************* and *********** **** ** ***** ** data ********. ** **** ***** *** importance ** ***** ********** *** *********** with *********** ** **** ** * breach.
IPVM’s *** ********* ***** *** ********
*** *** ** ****************** ****’* **** ********* ***** ****** recognition***** **** ********** ** ***** ** London.
*** ******-**** ************* ** ***** ******** and ***** *** ** ** ********** of ******* ******* ****** ** * ***** in **** *************** ** ******** **** ********** ******** – ******* ****** ****** ******* **** manufacturers *** ***********’ *****.
*’** *** *** **** ********** **** a ******* ******** **.
** ****** **** *** ********** ***, *** *** GDPR, **** **** **** ** ** surprise *** ***** ** **** **** a ******** ****-****. **** *** *** first **** ** **** ** *** 80's, * ******** ** "*******" ******* setting ** ********* *** ******** ****** of ****** **** ****** *** ****** on *** ********** ***** **** ** huge ***** ** *** ******* ** use ***** ********. *** **** *** was ** ******* *********** **** *** ****** available ** *** ******, **** ****** created *** **** ** ******** ***** and ************ **** ***** ***** **** been ******** ** ***** ******. **** were ***** ** * ********* ** be **** **** ** *********** ***** of ****** ****** *** ******** ******.
*** **** *** *** ** ****** with ****, ** ** ***** **** case **** **** **********. *** ***** concept ** **** *** *** ** a ******** ******** ** * **** breach. ** ********** *** *****, ****** and ****** ** ****** * ******** and ******** ** ** ****. ***** clear ****** ** **********, ******* **** deliberate ******** ******* *** **** ******** abuse ** *** **** ********* - this ***** **** ** * ******** toward *** ****** *** *********. *** to *** ******** ***** *** * ******** minor ****** ***** ***** ** **** likely ** ****** *** ** **** damage ** ******** **** ********* ** reasonable.
*** ** *** * ****** ********* ******* on ***** ******* - ** ******* it *** **** ** *** *******, but ****** ******** **** ** ********** of ********* *** *** *** **** for **** *****. ******** - **** was ***** *** ** *********** *** CCTV, *** *** ******* ** **** is *** **** ****** ******** ** it. ***** **** ******* ************* **** ******** ** *** ******** data ********* **** ****** **** ***** Facebook, *****, ******* *** **** ********** **** ******** ****** ******* *****, livelihood's *** ******** ** * *********** effect *** *** *** * ****** idea ** **** **** *** *** up ** **.
*** ********** ** **** ***** ********* will ** ******** - **** ****** given *** ******* ** ***** *** "issue" **** ***** - * **** exhibition ************* *** ******** ***** **********. I ****** **'* * **** *********, but ** ** ****** **** ***** fry **** *** **** ** *** appalling ******* *** ***** ** **** taking ***** *********. **'* **** ********** considering **** ****** *** *** *** GDPR *** ** ********** ** ****, its * ***** **** ****** **** anything ** ***** ******* ** *** EU ***** *** **** ****** ** data ********** *** ***** ** *** only ***** *********** - *** **** enabled ** *** ** **** ****** where * ****** *********** ******** ***** **************'* **** ***** ** ******* ******* in *** **** ** *** *** of ********* *****.
* ** ********* ** **** ********** are ***** ** ******* ** ********** like **** ******** *******.