Fausto Oliveira, Principal Security Architect at Acceptto, says that this is extremely concerning and demonstrates a series of gaps that he has pointed out several times in the past when talking about IoT. "I cannot understand why 3M or Neology didn't ship their systems with a set of security controls that would have prevented this incident from happening in the first place. There is no reason why a system that has access to so much private data is exposed on the Internet. There is absolutely no reason why such a system wouldn't enforce good authentication practices and require a form of Multi-Factor Authentication (MFA), after all, we are talking about tracking the movement of members of the general public. Access to such a system should be secured and access to this system should only be granted to members of the organization that have a legitimate legal / business need," he says.
To make matters worse, Oliveira adds, the fact that the web cameras are accessible from the Internet, without any form of protection, is opening "the door for any attacker to be able to obtain information about potential victims such as what is their habitual way to work, what time they leave, places they frequent, etc… With some sophistication, attackers could set up a surveillance system of their own to track the whereabouts of their victims. In the end, and in light of GDPR, the general public will have to pay the cost of this event twice. Firstly by losing their privacy and secondly, and I sincerely hope this happens, when the UK ICO fines the council for breaching the privacy of the general public diverting essential financial resources.”