The Federal Trade Commission (FTC) has reached a settlement for $2.95 million with security camera company Verkada for significant lapses in data security and violations of the CAN-SPAM Act.
The FTC's action follows a series of alarming security breaches that exposed sensitive video footage from Verkada’s cameras, including in psychiatric hospitals and women’s health clinics, along with a flood of unsolicited commercial emails sent to prospective customers without proper opt-out mechanisms.
Verkada, headquartered in California, markets IP-enabled security cameras and other security products to thousands of clients worldwide, including those in highly sensitive industries.
The FTC's complaint, filed by the Department of Justice (DOJ) in the U.S. District Court for the Northern District of California, details how Verkada failed to implement adequate security measures, which allowed a hacker to infiltrate the company’s systems and access over 150,000 internet-connected security cameras. These cameras, installed across various sensitive locations, captured and stored video, audio recordings, and even WiFi credentials, all of which were vulnerable due to Verkada’s inadequate security practices.
Verkada has since informed CyberInsider that only some of the 150,000 cameras were accessed by the hackers, most likely limited to only 97.
Breach background
This action follows a major security incident in March 2021, when hackers exploited a misconfigured customer support server at Verkada. The breach, attributed to Swiss hacker Tillie Kottmann, allowed unauthorized access to video footage from nearly 100 of Verkada's clients, including footage from psychiatric hospitals and women’s clinics. The hacker gained access through credentials found on the support server, which were then used to enter a customer support interface. Once inside, the hacker could emulate user sessions and access customer devices.
The breach exposed the personal data of numerous clients, including names, email addresses, and device metadata, highlighting Verkada’s failure to enforce strong password policies and adequate encryption. Despite Verkada’s public assertions of having “best-in-class data security tools and practices,” the company’s lack of secure network controls and comprehensive encryption led to this severe breach.
FTC’s allegations and findings
The FTC's investigation revealed that Verkada’s security deficiencies were not isolated incidents but indicative of systemic problems. More specifically, the FTC alleges that Verkada failed to:
- Implement complex and unique password requirements for its systems.
- Adequately encrypt sensitive customer data.
- Enforce robust network security controls.
The investigation also uncovered misleading practices where Verkada employees and a venture capital investor, who had stakes in the company, posted positive reviews of the company’s products without disclosing their affiliations.
Furthermore, Verkada was found to have falsely represented its compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the EU-U.S. Privacy Shield framework, claiming adherence to these standards despite significant non-compliance.
In addition to the security lapses, Verkada was charged with violating the CAN-SPAM Act by inundating potential customers with commercial emails that failed to provide clear opt-out mechanisms, did not honor unsubscribe requests, and lacked a physical postal address. Over a three-year period, Verkada sent more than 30 million commercial emails, flouting the requirements of the CAN-SPAM Act and earning the largest penalty ever levied by the FTC for such violations.
Settlement and future compliance
As part of the settlement, Verkada is required to implement a comprehensive information security program that includes third-party audits and ongoing scrutiny of its data protection practices. The company is also prohibited from misrepresenting its data security measures and must ensure compliance with the CAN-SPAM Act moving forward.
The FTC's unanimous decision to refer the case to the DOJ underscores the seriousness of Verkada’s failings, especially given the sensitive nature of the data involved. Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, emphasized the responsibility that companies like Verkada have in safeguarding customer data, particularly when their products are used to monitor private spaces.
Verkada has issued a statement about the settlement on its website.
Article updated on 9/9 for clarity, link to Verkada statement added, corrections were made in relation to legal references.
CBIZ Discloses Data Breach Impacting Customers in the U.S.
Leave a Reply