The Federal Trade Commission (FTC) proposes a $2.95 million penalty on security camera vendor Verkada for multiple security failures that enabled hackers to access live video feeds from 150,000 internet-connected cameras.
Many of the cameras were located in sensitive environments, such as women’s health clinics, psychiatric hospitals, prisons, and schools.
FTC alleges that Verkada not only failed to implement basic security measures to protect the cameras from unauthorized access but also misrepresented the products’ security to customers with unbased promises and reviews submitted by investors.
Moreover, Verkada was found to be in violation of the CAN-SPAM Act by bombarding aspiring customers with promotional emails without giving them opt-out choices.
Security lapses
In March 2021, it was revealed that a group of hackers (APT-69420 Arson Cats) leveraged a vulnerability in Verkada’s customer support server, which provided admin-level access.
Abusing these elevated privileges, the hackers accessed Verkada’s Command platform, which the FTC says opened access to 150,000 live camera feeds. From there, the hackers extracted several gigabytes of video footage, screenshots, and customer details.
In the original summary of the 2021 incident, Verkada notes that during the intrusion the hackers accessed cameras and viewed image data from 97 customers, which accounted for less than two percent of the company’s customer base at the time.
After many hours of roaming through Verkada’s internal systems without anyone attempting to block them, the hackers self-reported the breach to the media, and released recorded video as proof of the hack.
Before that incident, in December 2020, a hacker exploited a flaw in a legacy firmware build server within Verkada’s network installed Mirai on it to launch denial-of-service (DoS) attacks.
The camera vendor did not realize the compromise until two weeks later when Amazon Web Services (AWS) flagged suspicious activity on the breached server, the complaint notes.
The FTC says that by claiming to use “best-in-class data security tools and best practices” to protect customer data Verkada is deceptive and not representative of the truth.
Specifically, Verkada did not implement basic security measures on its products, such as demanding the use of complex passwords, encrypting customer data at rest, and implementing secure network controls.
Additionally, Verkada’s claims about its products being compliant with the Health Insurance Portability and Accountability Act (HIPAA) and also the EU-U.S. and Swiss-U.S. Privacy Shield frameworks are false and misleading according to the FTC.
Penalties and provisions
Verkada is required to pay a $2.95 million civil penalty meant to act as a guarantee for future compliance with the law.
In addition, the company must develop and implement a comprehensive security program according to which its own IT team and also independent third parties will conduct regular security assessments, implement and test safeguards, and organize employee training on data security.
Verkada is prohibited from misrepresenting its privacy, security practices, or compliance with standards like HIPAA and the Privacy Shield in the future.
For the next 20 years, Verkada will have to report any cybersecurity incidents to the FTC within 10 days after notifying another U.S. government entity, enclosing the full details of the incident.
Finally, Verkada’s commercial emails should now include unsubscribe options so that users can easily opt out if they wish.
The complete order and FTC’s demands can be found in the stipulated order document.
In a statement on Friday, Verkada says that while not agreeing with FTC’s allegations it accepted the terms of the settlement.