A leading security camera-maker has sent footage from inside a family’s home to the wrong person’s app.
Swann Security has blamed a factory error for the data breach – which was brought to its attention by the BBC – and said it was a “one-off” incident.
However, last month another customer reported a similar problem saying his version of the same app had received footage from a pub’s CCTV system.
Swann said it was attempting to recover the kit involved in this second case.
In the meantime, it said it had notified the UK’s data privacy watchdog of both cases.
“Swann Communications (Europe) have made us aware of this incident and we will be making inquiries,” the Information Commissioner’s Office said in a statement of its own.
“If anyone has concerns about how their data has been handled, they can report these concerns to us.”
Swann is owned by the Infinova Group, a US-based security camera specialist with offices across the globe.
The BBC first learned of the problem on Saturday, when a member of its staff began receiving motion-triggered video clips from an unknown family’s kitchen.
Until that point, Louisa Lewis had only received footage from her own Swann security camera, which she had been using since December.
The development coincided with Ms Lewis’s camera running out of battery power and requiring a recharge.
“I was out and I had a couple of alerts,” she recalled.
“Naturally, I looked at my phone only to see the video was not of my home.
“At first I ignored it – I thought it must be an error – then I had several other alerts, at which point I thought I had better get in touch with Swann.”
The clips, which had automatically downloaded to her handset, featured a man and woman passing close to the camera. A child’s voice could also be heard in the background.
A Swann customer representative told Ms Lewis that nothing could be done until after the weekend.
And it was only after the matter was flagged to the firm’s PR agency on Monday that she stopped receiving video clips.
Following an internal investigation, a Swann spokeswoman later provided an explanation.
She said that “human error” had caused two cameras to be manufactured that shared the same “bank-grade security key – which secures all communications with its owner”.
“This occurred after the [family] connected the duplicate camera to their network and ignored the warning prompt that notified: ‘Camera is already paired to an account’ and left the camera running,” she added.
“We are regretful that this was not addressed immediately and adequately by our support team, when discovered. We have addressed this and made some internal changes.”
The spokeswoman said that Swann had been unable to identify or contact the family involved.
“We can confirm that no further data was breached or accessed by additional third parties,” she added.
The BBC discovered there had been a report of a similar incident in May.
Another Swann security kit owner had posted images to Twitter in an attempt to identify a pub sending video clips to an app used by him and his wife.
“One day we were watching our own cameras, the next – when we opened the app up – it was someone else’s,” recalled Tim Lane, who lives in Leicestershire.
“One of the cameras looked over the desk of the maitre d’ and we thought we recognised a stag logo on the pile of menus.
“Searching the internet for restaurants with a stag theme became a bit of an obsession for us for a week or more.”
He added that he initially thought the pub might be overseas, but was surprised to eventually discover it was a short drive away.
Mr Lane subsequently visited the pub – The Bradgate – to warn its staff.
“The manager initially appeared suspicious and perhaps a little hostile,” Mr Lane said.
“I really can’t blame him, we could have been hackers. In reality we were both victims of a breach of personal privacy somewhere in Swann’s systems.”
Swann’s spokeswoman said that this matter was still under investigation, but that it suspected both parties had registered their products with the same username and password.
“[We] are putting stricter measures in place for this not to occur in the future,” she added.
But when The Bradgate and Mr Lane agreed to divulge their usernames to the BBC, the logins did not match.
One cyber-security expert has raised concern.
“I can kind of see how the duplicate security key happened, but the second scenario seemed very unlikely,” Prof Alan Woodward from the University of Surrey explained.
“I’m dubious that two users unrelated other than by geographic area would choose the same username and password combination enabling one to see the live video feed of the other.
“When both incidents are combined it does make you wonder if there are others who have had similar issues, and whether there is more at work here than has been so far explained.”