The company mSpy, known for specializing in software that allows its users to spy on other people through their technology devices, admitted during an interview with the BBC in May 2015 that it suffered a data breach and that thousands (hackers claim 400,000) of its customer’s records were accessed.
The software mSpy offers is a niche product and services that is quite controversial both ethically and legally. The company promotes it products and services as a means of monitoring your children’s, employees’, or others on a smart phone or mobile device. However, it is also known as a means of spying on your spouse or others secretly. The spyware is said to gather potentially dangerous amounts of information such as tracking locations, listening in on phone calls and reading messages.
Initially mSpy claimed it was the victim of a “predatory attack” by cyber criminals seeking to blackmail the company for money and saying that mSpy had not given in to the “pay or else” demands of these blackmailers. Additionally, mSpy maintained initially that the blackmailer’s claims of having breached their network systems were untrue, despite the fact that a prominent security expert had located and verified the data dump from the mSpy breach.
During the BBC interview a spokeswoman for mSpy claimed the following:
There is no data of 400,000 of our customers on the web.
We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.
We have received frequent threats of similar nature, pursuing financial gain ‘or else’ and have just received a number of those in recent weeks.
We never have or ever will fall for provocations of third parties, and our only response for such ‘ventures’ will be further securitization of any corporate and customer related data.
We pay close attention to each and every ‘hacking’ threat, making sure it doesn’t have reasonable grounds for considering our security measures compromised.
And surely none of such threats deserve being indulged in their demands for ‘easy money’, as the most recent case has served an example of.
Unfortunately most of those denials by mSpy were false. One day after the BBC interview, mSpy admitted there had been a security breach, but claimed the number of affected customers was much less than had been reported by leading cyber security experts or claimed by the hackers.
Typically, when a company has been hacked the prudent measure is to bring in outside cyber forensic investigators to examine the breach or to have at least had their own internal security team access the data dump posted on the dark web and cross check it against its own customer database. When asked by the BBC if mSpy had done this the company did not reply.
According to the report written by Brian Krebs, a leading expert in cyber security,
There is a crazy amount of personal and sensitive data in this cache, including photos, calendar data, corporate email threads, and very private conversations. Also included in the data dump are thousands of support-request emails from people around the world who paid between $8.33 [£5.37] to as much as $799 [£515] for a variety of subscriptions to mSpy’s surveillance software.
I spent the better part of the day today pulling customer records from the hundreds of gigabytes of data leaked from mSpy. I spoke with multiple customers whose payment and personal data — and that of their kids, employees and significant others — were included in the huge cache. All confirmed they are or were recently paying customers of mSpy.
At the end of the day following the BBC interview mSpy spokeswoman Amelie Ross made the following statements:
“Much to our regret, we must inform you that data leakage has actually taken place,” spokeswoman Amelie Ross told BBC News. However, the scope and format of the aforesaid information is way too exaggerated.”
She said that 80,000 customers had been affected. Initial reports suggested up to 400,000 customer details had been exposed.
“Naturally, we have communicated with our customers whose data could have been stolen. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption,” she added.
Because of the nature of the information, photos, and personal conversations included in this data dump the real victims here are those unknowingly under surveillance, especially the untold additional dangers the breach exposed the children to, whose parents were trying to protect from harm … sad and some legislators say criminal, but that’s another article.
Additional Resources About This Breach: