NurseryCam, a UK-based childcare-monitoring service that allowed parents at approximately 40 UK nurseries to view live video feeds of their children, suffered a security breach disclosed publicly on February 19-20, 2021. The incident is best characterized as a series of egregious security failures rather than a single data breach. Independent security researcher Andrew 'Cybergibbons' Tierney had documented multiple critical vulnerabilities in early February 2021 including the absence of TLS encryption on video streams, the persistence of access permissions for parents whose children no longer attended the nursery, the ability for parents to access camera feeds in nursery rooms where their children were not present, insecure direct object reference vulnerabilities allowing arbitrary video feed access by URL manipulation, and the use of shared administrator credentials that were published in the company's public instruction manual. A separate hacker exploited these vulnerabilities and obtained parent account credentials from approximately 12,000 NurseryCam users, which were dumped online, prompting the company to take its cameras offline.

The breach affected approximately 10,000 to 12,000 parent records based on records indexed by Have I Been Pwned and the original hacker disclosure. Compromised fields included email addresses, names, usernames, and SHA-1-hashed passwords. The hacker publicly stated they had no intention of using the data to harm anyone and that they wanted to force NurseryCam to raise its security standards. Far more critically, the vulnerabilities themselves enabled unauthorized live-video access to children at the affected nurseries, with no reliable record of how many parties may have viewed the feeds during the multi-year period the vulnerabilities existed.

For affected parents and the broader population of children at the affected UK nurseries, the practical risk profile combines standard credential exposure with significant child-safety concerns. The credential exposure supports credential-stuffing attacks against any other accounts where parents reused the same password, and parents should change any reused passwords on other accounts. The more serious concern relates to the live-video access vulnerabilities themselves: because the vulnerabilities had reportedly existed for at least six years prior to public disclosure (since at least 2015 per a parent's earlier report), unknown parties may have had access to live video streams of children at NurseryCam-equipped nurseries during that period without detection. Parents whose children attended NurseryCam-equipped nurseries between approximately 2015 and 2021 may wish to review the timeline of their child's nursery attendance against the documented vulnerability period and discuss any concerns with their nursery and with applicable UK child-safeguarding authorities.

Childcare video-streaming platforms collect parent accounts, child-related records, camera or room access data, billing records, and live-stream access information tied to daycare or nursery monitoring.

NurseryCam was shut down on February 20-21, 2021 following the breach disclosure and has not returned to operation under the same brand. The UK Information Commissioner's Office began assessing the matter following the data-breach report. The case has been widely cited in UK IoT-security commentary as a leading example of vendor unresponsiveness to security disclosure, particularly because Footfallcam Ltd had a documented pattern of attempting to strongarm security researchers including Andrew 'Cybergibbons' Tierney into deleting public Twitter discussion of vulnerabilities in its FootfallCam sister-product. A NurseryCam parent had reported essentially the same class of vulnerability to the company in 2015, six years before the 2021 breach forced disclosure, with NurseryCam reportedly brushing off the report at the time.