Clearview AI, the controversial and secretive facial recognition company, recently experienced its first major data breach — a scary prospect considering the sheer amount and scope of personal information in its database, as well as the fact that access to it is supposed to be restricted to law enforcement agencies. BuzzFeed News says it gained access to the leaked documents, and indeed, it looks like Clearview was working with everyone from US Immigration and Customs Enforcement (ICE) to the NBA.

The new BuzzFeed report paints a chilling picture of Clearview’s scope and ambition to market its all-powerful facial recognition technology. Not only does the client list revealed in the leaked documents include references hundreds of local police departments as well as federal agencies like ICE, Customs and Border Patrol (CBP), and the US Attorney’s Office for the Southern District of New York, but it also shows that retail companies like Best Buy, Walmart, and Macy’s have conducted trials with Clearview. There are also international entities like Interpol and a research center in Saudi Arabia not to mention some private investigators in the mix.

All this information flies in the face of Clearview’s previous claims that it only worked with domestic law enforcement agencies. It also raises questions about Clearview’s plans to make a publicly available facial recognition app, which experts have described as dangerous. BuzzFeed News reports:

For a company that maintains its tools are for law enforcement, Clearview’s client list includes a startling number of private companies in industries like entertainment (Madison Square Garden and Eventbrite), gaming (Las Vegas Sands and Pechanga Resort Casino), sports (the National Basketball Association), fitness (Equinox), and even cryptocurrency (Coinbase). The logs also show that the startup is particularly interested in banking and finance, with 46 financial institutions trying the facial recognition tool.

There’s more:

Employees at big-box retailers, supermarkets, pharmacy chains, and department stores have also trialed Clearview. Company logs reviewed by BuzzFeed News include Walmart (nearly 300 searches), Best Buy (more than 200 searches), grocer Albertsons (more than 40 searches), and Rite Aid (about 35 searches). Kohl’s, which has run more than 2,000 searches across 11 different accounts, and Macy’s, a paying customer that has completed more than 6,000, are among the private companies with the most searches.

Several of the companies listed above have distanced themselves from Clearview. Others, like the NBA and Coinbase, admitted to conducting trials of the software.

“While we conducted a limited test as we do with an array of potential vendors, we are not and have never been a client of this company,” the NBA said in a statement to Recode.

“We are not Clearview AI clients,” Best Buy said in an email to Recode, “We don’t use Clearview AI and don’t plan on using it in the future.”

Meanwhile, privacy advocates are very concerned about the consequences of the Clearview’s technology as well as its security issues.

“This list, if confirmed, is a privacy, security, and civil liberties nightmare,” Nathan Freed Wessler, a staff attorney with the ACLU, told Recode. “Government agents should not be running our faces against a shadily assembled database of billions of our photos in secret and with no safeguards against abuse.”

Following the breach, Gizmodo managed to get its hands on a version of Clearview’s Android app, which was stored on a publicly accessible Amazon server. While a login was needed to access Clearview’s facial recognition system, Gizmodo was able to see some code that indicated features under development including voice search, the ability to take photos in the app that could be matched to Clearview’s database, and the ability to scan drivers license barcodes. CEO Hoan Ton-That told Gizmodo that the latter feature “doesn’t scan drivers licenses,” despite the fact that the file is named “Barcode$DriverLicense.smali.”

Before these details emerged, the Daily Beast reported that an intruder gained “unauthorized access” to Clearview’s client list, its number of user accounts, and a number of searches its customers have conducted. That client list now appears to be particularly sensitive, especially since it contradicts Clearview’s earlier statements about working with a limited number of law enforcement agencies.

For now, there is no evidence that Clearview’s database of 3 billion photos was hacked. But the fact that the company could be breached at all is worrisome enough. Clearview says it obtained these photos by scraping publicly available images from all over the internet. The company’s software uses proprietary facial recognition technology to help law enforcement agencies identify suspects by matching their images with those in the database.

Clearview’s lawyer, Tor Ekeland, seemed blasé about the news in his response to Recode.

“Security is Clearview’s top priority,” he said. “Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security.”

Sen. Edward J. Markey, who has been highly critical of the company, said in his own statement that Clearview’s comments would be “laughable” if its “failure to safeguard its information wasn’t so disturbing and threatening to the public’s privacy.”

“This is a company whose entire business model relies on collecting incredibly sensitive and personal information, and this breach is yet another sign that the potential benefits of Clearview’s technology do not outweigh the grave privacy risks it poses,” Markey said.

Though Clearview is playing the breach off as a minor and quickly solved problem, it brings up larger issues that have been bubbling under the surface since Clearview’s existence was made widely known last month in a New York Times report. Those include worries about what would happen should Clearview’s data fall into the wrong hands, and how much confidence we should really have in the cybersecurity practices of a private company we know little about and have no reason to trust.

If security is indeed Clearview’s top priority, this data breach doesn’t bode well. If the client list really does represent the number and type of companies and agencies with access to Clearview’s powerful technologies, this situation might be much more serious than previously thought.

Update, February 28, 2020, 1:40 pm ET: Updated to include new details from a Gizmodo report as well as statements from Best Buy, the NBA, and the ACLU.

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.