A computer security expert won a rare payout in a whistleblower lawsuit he filed against Cisco Systems Inc. almost a decade ago, after he reported critical security flaws in Cisco video surveillance software used at major U.S. international airports and federal agencies with critical national security roles.
Rather than being rewarded for his 2008 discovery, James Glenn lost his job, according to the lawsuit he filed under the federal False Claims Act, which was unsealed Wednesday with the announcement of an $8.6 million settlement.
The law lets whistleblowers report fraud and misconduct in federal contracting and collect financial rewards when the claims are successful. Glenn’s attorneys said his is the first cybersecurity case successfully litigated under the FCA.
Cisco issued a statement Wednesday saying it was “pleased to have resolved” the dispute and that “there was no allegation or evidence that any unauthorized access to customers’ video occurred” as a result of the product’s architecture. But it added that video feeds could “theoretically have been subject to hacking.”
In addition to commercial airports, the software is used by the Pentagon, U.S. Secret Service and Department of Homeland Security.
Glenn discovered the flaws while employed by a Cisco reseller in Denmark and immediately alerted the U.S. technology giant. But Cisco kept the vulnerability quiet for five years, not issuing a security alert until 2013, when it acknowledged “multiple security vulnerabilities ” in the software.
That notice came two years after the federal government began investigating, Glenn’s lawyers say.
The reseller, NetDesign, fired Glenn in March 2009, blaming his termination on a need to cut costs, they say. Two years later, after Glenn’s sister notified the FBI, a lawsuit was filed claiming Cisco had defrauded U.S. federal, state and local governments who purchased the “mission-critical” Video Surveillance Manager software system.
On July 22, the District of Columbia, 15 states and the federal government settled with Cisco in a case brought in New York’s Western District. Glenn’s lawyers at Constantine Cannon LLP say he will receive 20% of the $8.6 million the plaintiffs are due.
The exploit Glenn discovered would have provided an attacker full administrative access not just to the software that managed the video feeds, which allowed multiple feeds to be monitored from a single location, but potentially to other sensitive connected systems vital to physical security, the lawyers say.
“You could penetrate the entire system. And you could do that without any trace. And have complete backdoor access to the system whenever you wanted,” said Michael Ronickher, a Constantine attorney representing Glenn.
In addition to DHS, the Secret Service, the Army, Navy, Marine Corps and the Federal Emergency Management Agency, the vulnerable software suite was used in police stations, prisons, schools and by Amtrak, the plaintiffs’ attorneys said.
Airports affected included Los Angeles International and Chicago’s Midway, Ronickher said.
He said the Auckland airport, New Zealand’s largest, was among international locations affected.Glenn, who lived in Copenhagen for 11 years, now resides in Bulgaria, his attorneys say.