Your Photo Booth Uploaded Every Picture to the Internet: The Hama Film Security Theatre

Vendor Risk Management
Written By Noel Bradford

Over 1,000 private photos. No password. No security questions. Just a website URL and the ability to count.

That’s the security “architecture” protecting customer images at Hama Film, a photo booth manufacturer whose products show up at weddings, corporate events, and festivals across Australia, the United Arab Emirates, and the United States. For months, anyone with basic technical knowledge could download every photo stored on their servers. The company knew about it since October 2025. They did nothing.

Security researcher Zeacer discovered the vulnerability and reported it to both Hama Film and its parent company Vibecast in October. He received the corporate equivalent of a shrug. No response. No acknowledgement. No fix. So he did what responsible researchers do when companies ignore security failures that affect real people: he went public through TechCrunch in late November.

The response? Vibecast reduced the data retention period from three weeks to 24 hours. Problem solved, right?

Wrong. Catastrophically, insultingly wrong.

The Anatomy of Industrial-Grade Incompetence

Here’s what Hama Film’s “security” looked like:

No authentication. Files were publicly accessible with predictable URLs.

No rate-limiting. Anyone could scrape the entire server without being blocked.

No access controls. The concept of permissions apparently never crossed anyone’s mind.

No monitoring. Nobody noticed when a researcher was poking around their infrastructure.

These aren’t advanced persistent threats. These aren’t nation-state actors using zero-day exploits. This is Security 101, the stuff you learn in the first week of any basic web development course.

The NCSC published comprehensive guidance on securing HTTP-based APIs in April 2025, explicitly citing the absence of rate-limiting as a critical vulnerability.

They referenced Dell’s Partner Portal API breach affecting 49 million customers, the Trello API misconfiguration exposing 15 million users, and the Kia Web Portal vulnerability that let hackers remotely track and start vehicles.

Hama Film apparently never read it. Or they read it and decided security was optional for a company storing strangers’ private photographs.

Why 24-Hour Data Retention Doesn’t Fix Anything

Vibecast’s brilliant solution was to delete photos faster. Instead of keeping them for three weeks, they now purge them after 24 hours. This is like fixing a house with no locks by only leaving valuables inside for one day instead of three.

An attacker can still:

  • Write a script that runs daily

  • Download every new photo uploaded in the previous 24 hours

  • Build a complete database of customer images over time

  • Sell access to this database on underground forums

  • Blackmail individuals whose private moments were captured

The vulnerability remains. The exposure continues. The only difference is the window of opportunity is narrower, which matters not at all to someone running automated scrapers.

This is security theatre in its purest form: visible action that creates the illusion of protection whilst doing absolutely nothing to address the underlying problem.

The Tyler Technologies Pattern: When Basic Security Is Too Hard

Hama Film isn’t alone in this magnificent display of incompetence. Just one month before this story broke, TechCrunch exposed an identical vulnerability in Tyler Technologies’ jury management systems used across multiple US states including California, Illinois, Michigan, Nevada, Ohio, Pennsylvania, Texas, and Virginia.

The flaw? Sequential juror IDs with no rate-limiting.

An attacker could systematically guess ID numbers and access juror profiles containing full names, dates of birth, home addresses, phone numbers, occupations, and sensitive health information from medical exemption requests. The company that manages critical government data across thousands of jurisdictions couldn’t implement basic brute-force protection.

Tyler acknowledged the vulnerability three weeks after being notified. Their response? “We’ve developed a remediation.” No commitment to notify affected individuals. No credit monitoring services. No acknowledgement that they’d exposed citizens to potential identity theft or harassment simply for performing their civic duty.

This is the second major Tyler security failure in two years. In 2023, researchers discovered their Case Management System Plus exposed sealed court documents, witness testimony, mental health evaluations, and trade secrets across Georgia’s court system.

Notice the pattern? These aren’t sophisticated attacks exploiting zero-day vulnerabilities. These are companies failing to implement security measures that have been standard practice since the early 2000s.

What UK SMBs Need to Understand About Vendor Risk

If you’re a UK small business reading this and thinking “Well, I’m not using Hama Film photo booths, so this doesn’t affect me,” you’re missing the point spectacularly.

You hire vendors. Those vendors have access to your data. Your customers’ data. Your employees’ data.

When you contract with a third party to provide services, you’re not just buying their product. You’re inheriting their security practices, their compliance posture, and their potential liabilities. Under UK GDPR, you remain responsible for protecting personal data even when a processor handles it on your behalf.

Article 28 of UK GDPR is crystal clear: controllers must only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures. If your vendor suffers a data breach due to inadequate security, you’re the one explaining to the ICO why you failed in your due diligence obligations.

The ICO can fine you up to £17.5 million or 4% of annual global turnover (whichever is higher) for UK GDPR violations. In 2025, they fined 23andMe £2.3 million for failing to implement basic security measures like mandatory multi-factor authentication after a credential stuffing attack compromised 155,592 UK customers’ genetic data, health reports, and family histories.

The regulator’s position was unambiguous: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK.”

How This Happens: The Economics of Negligence

Why do companies like Hama Film and Tyler Technologies ship products with gaping security holes?

Because they can.

There’s no immediate market consequence for poor security. Customers can’t easily assess a vendor’s security posture before purchasing. Security failures only become visible after a breach, and by then the vendor already has your money.

Government contractors like Tyler face even less accountability. Unlike private companies that face immediate market consequences, government tech providers operate with minimal scrutiny despite handling equally sensitive data. They win contracts through procurement processes that prioritise cost over security competence.

The incentive structure is broken. Investing in robust security costs money upfront. Not investing in security might cost money later, if there’s a breach, if someone notices, if regulators act, if the fine is substantial enough to matter. That’s a lot of “ifs” versus the certainty of today’s development costs.

So vendors ship products with sequential IDs and no rate-limiting. They store customer photos on publicly accessible servers. They forget about APIs that remain online for years. And they only fix things when researchers embarrass them publicly through media coverage.

The NCSC’s Blueprint You’re Ignoring

The UK National Cyber Security Centre published explicit guidance on securing HTTP-based APIs in April 2025. They identified rate-limiting failures as a critical vulnerability and provided clear recommendations:

Implement proper authentication frameworks: OAuth 2.0 or token-based authentication instead of API keys or basic authentication.

Deploy rate-limiting and user throttling: Prevent brute-force attacks and denial of service attempts.

Use HTTPS for all API traffic: Encrypt data in transit.

Validate inputs properly: Prevent injection attacks and data corruption.

Implement proper logging and monitoring: Detect suspicious activity before it becomes a breach.

Minimise internet exposure: Don’t expose internal systems unnecessarily.

Store credentials securely: Never hard-code passwords or API keys in source code.

These aren’t optional nice-to-haves. These are fundamental requirements for any system handling personal data. The NCSC guidance exists because companies keep making the same mistakes. Hama Film’s vulnerability is a textbook example of what happens when you ignore basic security principles.

ICO Data Protection Requirements: What Actually Matters

Under UK GDPR, if you experience a personal data breach that poses a risk to individuals’ rights and freedoms, you must notify the ICO within 72 hours of becoming aware of it. If the breach poses a high risk, you must also inform affected individuals directly without undue delay.

A “personal data breach” includes unauthorised access to personal data. Photos of customers are personal data. Making them accessible without authentication is a breach.

The ICO defines potential impacts including: loss of control over personal data, discrimination, identity theft, fraud, financial loss, damage to reputation, or any significant economic or social disadvantage to affected individuals.

Failing to notify when required can result in fines up to £8.7 million or 2% of global turnover.

The ICO’s position on vendor relationships is explicit: if you’re the data controller, you’re responsible for ensuring your processors implement appropriate security measures. “We hired a vendor” is not a defence. It’s an admission that you failed in your due diligence obligations.

When the ICO investigates breaches, they examine whether organisations conducted proper risk assessments, whether security controls were adequate, and whether the organisation responded appropriately when problems emerged. Vibecast’s months-long silence after being notified of a vulnerability affecting customer data would not impress regulators.

How to Turn This Into a Competitive Advantage

Whilst your competitors are merrily handing customer data to the cheapest vendors with the glossiest brochures, you can differentiate your business through demonstrable security competence.

Build vendor security into your sales process: When prospects ask how you protect their data, show them your vendor assessment framework. Explain how you evaluate third-party security before contracting. Make it clear that you treat customer data protection as a fundamental business requirement, not an IT afterthought.

Document your vendor risk management: Create a simple register of all third-party service providers with access to customer data. Include: what data they access, how it’s protected, when contracts expire, and evidence of their security competence. Show prospects and customers that you know where their data lives and who has access to it.

Conduct basic vendor security assessments: Before signing contracts, ask vendors:

  • Do you implement rate-limiting on all API endpoints?

  • Do you require multi-factor authentication for systems processing personal data?

  • When was your last penetration test conducted, and can we see the executive summary?

  • What is your data breach notification process?

  • Do you comply with ISO 27001 or SOC 2?

  • Can you provide evidence of cyber insurance coverage?

Vendors who can’t answer these questions clearly don’t deserve access to your customers’ data.

Make security part of procurement criteria: Don’t award contracts solely on price. Evaluate security posture as a weighted factor in vendor selection. A slightly more expensive vendor with demonstrable security competence will cost you less than a cheap vendor whose breach lands you in front of the ICO.

Require security terms in contracts: Include specific security requirements in service level agreements. Mandate breach notification within 24 hours. Require evidence of regular security testing. Build in termination clauses if security standards aren’t maintained. Make vendors contractually liable for breaches resulting from their negligence.

Use security competence in marketing: “We only work with security-certified vendors” is a differentiator in industries where competitors are still selecting suppliers based on the lowest quote. When a prospect’s previous provider suffers a breach, you can point to your vendor risk programme as evidence you wouldn’t make the same mistake.

How to Sell This to Your Board

Your board cares about liability, reputation, and competitive advantage. Frame vendor security in those terms.

Regulatory liability is personal: Under proposed amendments to UK cyber security legislation, directors may face personal liability for governance failures leading to significant breaches. If your company suffers a breach because you hired a vendor with inadequate security, board members could be held personally accountable. This isn’t theoretical; it’s the direction UK cyber regulation is moving.

Brand damage is permanent: When 23andMe suffered their breach, their brand value collapsed. The company filed for bankruptcy. Their CEO tried to buy the company out of bankruptcy to prevent customer data from being sold to the highest bidder. That’s the business consequence of security negligence. Your company’s reputation is built over years and destroyed in a weekend when customer data leaks.

Insurance costs reflect risk: Cyber insurance premiums are rising dramatically for companies with poor security practices. Insurers are conducting detailed assessments of vendor risk management. Companies that can demonstrate robust third-party security assessments receive better rates and more comprehensive coverage. Those that can’t are either paying premium prices or finding themselves uninsurable.

Competitive advantage is real: In regulated industries, demonstrable security competence is increasingly a procurement requirement. Government contracts, enterprise customers, and larger firms are demanding evidence of vendor security programmes. SMBs that build these capabilities early position themselves for larger opportunities as they grow.

The business case is straightforward:

  • Implementing basic vendor security assessments costs approximately £2,000-5,000 annually for a small business

  • ICO fines start at £8.7 million for data protection failures

  • Average cost of a data breach for UK SMBs is £4,200 according to government data

  • Cyber insurance premiums can increase 50-200% after a breach

  • Customer churn following public breaches averages 25-40%

Invest £5,000 in vendor risk management or gamble with millions in potential losses. The mathematics are not complicated.

What This Means for Your Business

Every third-party service you use represents a potential attack vector. Your photo booth provider. Your email marketing platform. Your accounting software. Your HR system. Your website hosting provider. Each vendor with access to your data or systems can become your breach.

Start with an inventory. List every vendor that processes, stores, or has access to personal data. Include cloud services, SaaS platforms, contractors, and managed service providers.

Assess current vendors. For existing relationships, request evidence of security competence. If they can’t provide it, start planning transitions to alternatives.

Build security into procurement. Before signing new contracts, conduct basic vendor security assessments. Make security a weighted factor in selection criteria.

Document everything. When (not if) you face ICO scrutiny, you’ll need evidence that you conducted reasonable due diligence. Keep records of security assessments, vendor responses, and decision-making processes.

Review contracts annually. Security standards evolve. Vendors that were adequate last year may have fallen behind. Regular reassessment isn’t optional.

The Hama Film breach is embarrassing for them but instructive for you. It demonstrates what happens when companies treat security as an afterthought and regulators as irrelevant. Don’t be the next case study in vendor risk failure.

Your customers trusted you with their data. You trusted a vendor with that data. If the vendor fails, the responsibility lands on your desk, not theirs. Choose vendors like your business depends on it.

Because it does.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Next

UK SMBs Left in the Crosshairs