Cloud Security , Legislation & Litigation , Security Operations
Verkada Agrees to $2.95M Civil Penalty With US FTC
Cloud-Based Security Camera Firm Pledges Better Security in US FTC SettlementA California security camera company agreed to pay a $2.95 million civil penalty for violations of a U.S. federal anti-spam law and to implement a comprehensive security program after hackers in 2021 accessed video from 150,000 internet-connected security cameras, including from devices placed inside psychiatric hospitals and women's health clinics.
See Also: Take Inventory of Your Medical Device Security Risks
A complaint from the U.S. Federal Trade Commission against San Mateo-based Verkada alleges that the company violated the CAN-SPAM Act - Controlling the Assault of Non-Solicited Pornography and Marketing - by flooding prospective customers with a barrage of commercial emails and failing to include the option to unsubscribe or opt out, honor opt-out requests, and provide a physical postal address in the emails.
The FTC also alleges that the company failed to use appropriate information security practices to protect customers' and consumers' personal information collected through its security cameras.*
Besides the multimillion-dollar financial penalty for the CAN-SPAM Act violations, a consent order agreed to by the company commits it to implementing a comprehensive security program and submitting annual risk assessments to the FTC for the next two decades. The order still requires approval by a federal judge.
Verkada's primary products are IP-enabled security cameras that store customer data and archived video footage using Amazon Web Services’ cloud-based storage. Between 2019 and 2021, the company sold more than 240,000 security cameras, the agency said.
Verkada's allegedly lax security included a failure to require unique and complex passwords, adequately encrypt customer data, and implement secure network controls. As a result of these security failures, Verkada experienced at least two security breaches between December 2020 and March 2021.
In the March 2021 breach, a hacker accessed video footage from over 150,000 internet-connected Verkada cameras as well as other customer information, such as physical addresses, audio recordings, and customer Wi-Fi credentials (see: Startup Probes Hack of Internet-Connected Security Cameras).
"The intruder had access to over 150,000 live customer cameras and viewed patients in psychiatric hospitals - including patients resting in hospital beds - and women's health clinics, young children playing inside of a room, and incarcerated persons inside of their cells," the FTC said.
In the December 2020 breach, a hacker leveraged a security flaw in a legacy firmware build server after an employee failed to restore the original security settings for the server, the FTC said. Hackers installed Mirai botnet software "onto the server and performed malicious activity, including weaponizing the server to launch denial-of-service attacks against other third-party internet addresses. Defendant was not aware that the server was compromised until AWS security flagged the activity more than two weeks later."
Verkada in a Friday statement said it does not agree with the FTC's allegations but has accepted the terms of the settlement "so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way."
"We continue to prioritize strengthening Verkada's data security posture," the statement says.
Verkada collects and maintains a variety of customer information, including names, physical addresses, customer usernames and password hashes, customer site floor plans and customer Wi-Fi credentials, the agency said in its complaint.
Its security cameras collect video footage "may include captures of consumers and of other potentially sensitive personal information regarding consumers, such as visible medical records," the FTC said.
"Many such captures of consumers are inherently sensitive as one's presence in a particular location necessarily reveals one's personal information - for example, a consumer captured in a psychiatric hospital strongly suggests that said consumer is seeking mental health services," the FTC said.
In addition to live surveillance capabilities, Verkada's security cameras include People Analytics features that allow customers to view high-resolution images of all consumers whose likenesses have either been recorded by their security cameras or uploaded to the company's Command platform. That allows users to filter collected images by gender or clothing color and search images through facial recognition or face-matching technology.
The Commission voted 5-0 in support of the proposed consent order.
*Correction Sept. 3, 2024 16:17 UTC: Corrected to reflect that the $2.95 million civil penalty is solely for alleged violations of the CAN-SPAM Act. Verkada is settling allegations of poor cybersecurity by agreeing to have its information security program monitored for the next two decades.