iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
The US-based firm was also ordered to take action following security breaches in 2020 and 2021 that led to the exposure of sensitive security camera footage from hospitals and prisons.
The US Federal Trade Commission (FTC) has levied a US$2.9 million fine against the US-headquartered security camera company Verkada following allegations of a string of cyber security failures that led to multiple breaches of the company’s network and video storage platforms.
The fine was specifically for violations of the US CAN-SPAM Act after the company "inundated" customer leads with a barrage of emails. However, the FTC also demanded the company "implement a comprehensive information security program" in the wake of its security incidents.
In a complaint filed in late August, the FTC said Verkada – which has offices around the world, including in Australia – had “engaged in multiple practices that, taken individually or together, failed to provide reasonable or appropriate security for the personal information that it collected and maintained from and about customers and consumers”.
Due to those failures, the FTC said, a threat actor was able to install the Mirai botnet malware onto a legacy server on Verkada’s network in 2020. This botnet operated for two weeks before its activity was reported to Verkada by Amazon Web Services.
Despite engaging multiple cyber security firms to investigate the incident and improve its cyber security posture, the FTC said that Verkada had failed to heed multiple warnings about flaws in its network security – which led to another threat actor gaining access to the company’s network on 8 March 2021.
In this instance, however, the hacker was able to gain access to a support account and gain Super Admin-level access during a poorly run server update. The hacker then had privileged access to Verkada’s cloud-based Command video management platform and more than 150,000 live security camera feeds, the FTC said.
According to the FTC complaint, the threat actor had access to live footage of “patients in psychiatric hospitals (including patients resting in hospital beds) and women’s health clinics, young children playing inside of a room, and incarcerated persons inside of their cells”.
Again, Verkada was unaware of the intrusion and only discovered the incident after the hacker contacted the media, which, in turn, contacted Verkada for comment.
Verkada has agreed to pay the settlement and to undertake an overhaul of information security systems but has said it denies the FTC’s allegations.
“We do not agree with the FTC’s allegations, but we have accepted the terms of this settlement so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way,” a Verkada spokesperson said in a 30 August statement.
"Only some of the 150,000 live customer cameras the hacker had access to were actually accessed. There is no evidence that the hacker accessed more than a subset of the cameras owned by 97 customers (out of approximately 6,000 total customers at the time)."
The FTC, however, feels the settlement reinforces the need for “robust data security measures”.
“Failure to protect sensitive information puts consumers at risk,” Brian M. Boynton, Principal Deputy Assistant Attorney-General of the Department of Justice’s civil division, said in a statement.
“We will continue to work with the FTC to hold companies accountable for such violations.”
UPDATED 04/09/24 to correct the exact nature of the fine.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
