James Martin / CNET

Clearview AI, a facial-recognition software maker that has sparked privacy concerns, said Wednesday it suffered a data breach. The data stolen included its entire list of customers, the number of searches those customers have made and how many accounts each customer had set up.

"Security is Clearview's top priority," Tor Ekeland, Clearview AI's attorney, said in a statement. "Unfortunately, data breaches are part of life in the 21st century. Our servers were never accessed. We patched the flaw, and continue to work to strengthen our security."

The company didn't specify the flaw. The data breach was first reported by The Daily Beast.

Clearview's clients are mostly law enforcement agencies, with police departments in Toronto, Atlanta and Florida all using the technology. The company has a database of 3 billion photos that it collected from the internet, including websites like YouTube, Facebook, Venmo and LinkedIn.

New York City-based Clearview said the database of images wasn't hacked.

Its photo-scraping and facial recognition capabilities have raised privacy concerns. Lawmakers like Sen. Ed Markey, a Democrat from Massachusetts, have said that the company poses "chilling privacy risks." Those concerns led the New Jersey attorney general to ban police from using Clearview AI across the state earlier this year.

"Clearview's statement that security is its 'top priority' would be laughable if the company's failure to safeguard its information wasn't so disturbing and threatening to the public's privacy," Markey said in a statement. "This is a company whose entire business model relies on collecting incredibly sensitive and personal information, and this breach is yet another sign that the potential benefits of Clearview's technology do not outweigh the grave privacy risks it poses."

Sen. Ron Wyden, a Democrat from Oregon, also criticized Clearview AI for its breach. Wyden has proposed legislation that would punish tech company executives for lying about cybersecurity standards.

"Shrugging and saying data breaches happen is cold comfort for Americans who could have their information spilled out to hackers without their consent or knowledge," Wyden said in a statement. "Companies that scoop up and market vast troves of information, including facial recognition products, should be held accountable if they don't keep that information safe."

Tech giants like Google, Facebook and Microsoft have also sent Clearview AI cease-and-desist letters for scraping images hosted on their platforms.



Originally published Feb. 26, 7:40 a.m. PT.

Updates, 8:52 a.m.: Adds statement from Markey; 12:02 p.m.: Includes statement from Wyden.