False positive CSAM alert involving test data and external IP reference

During development and testing of a monitoring system for detecting potentially illegal image content, test entries were manually inserted into a production database.

These entries were intended to simulate detection scenarios and validate system behavior. However, they were not clearly marked as test data and were not removed after testing.

At a later point, one of these entries triggered a high-severity alert through an external detection service. The alert appeared as a confirmed match and was therefore treated as a real incident.

The alert contained inconsistencies compared to expected detection patterns, which led to further internal investigation.

Unlike other test entries, this specific entry contained a real external IP address associated with a Norwegian network, rather than a reserved or private test address.

WAYSCloud initiated internal investigation procedures following contact from relevant Norwegian authorities, including Kripos, to clarify the situation and ensure appropriate handling.

The alert did not correspond to any real file, upload, or user activity within WAYSCloud services.

No illegal material was stored, processed, or distributed.

However, the presence of a real external IP address in a test entry created a potential risk that an unrelated third party could be incorrectly associated with serious criminal activity.

The situation was investigated immediately and clarified with authorities. No third party was contacted, investigated, or affected as a result of this event.

The issue was limited to internally generated test data retained in a production system.

• Conducted a full technical investigation across storage systems, logs, and monitoring data
• Verified that no corresponding files, uploads, or user activity existed
• Confirmed that the referenced IP address had no interaction with any WAYSCloud service
• Performed cross-system validation to confirm that identifiers did not match real users or accounts
• Identified the root cause as manually inserted test data in production
• Established direct dialogue with relevant authorities to clarify the situation
• Notified the Norwegian Data Protection Authority for assessment
• Removed or reclassified all affected test entries

The situation was investigated and clarified within a short timeframe following initial notification.

• Test data is no longer inserted into production systems without explicit marking and lifecycle controls
• Improved separation between testing and production environments
• Use of reserved test network ranges for all simulated data
• Removal of the ability to insert arbitrary external IP addresses during testing
• Additional validation to ensure alerts are based on actual detection events
• Strengthened internal procedures for handling high-severity automated alerts