Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

Verkada Settles With FTC Over Poor Security Practices That Led to Camera Hacking

The FTC complaint alleges that Verkada’s failures allowed a hacker to access customers’ security cameras.

The Federal Trade Commission (FTC) has filed a complaint against security camera firm Verkada claiming its poor security practices have allowed a hacker to access customers’ cameras.

Based in California, Verkada offers IP-enabled security cameras and other physical security products to customers in the US and abroad, touting “best-in-class data security tools and best practices”.

According to the FTC’s complaint, Verkada failed to implement appropriate information security practices, which allowed a hacker to access cameras over the internet and view patients in psychiatric hospitals and women’s health clinics.

The complaint also alleges that the company failed not only to protect its customers’ sensitive information, such as names, email addresses, and passwords, but also to encrypt the data and to implement secure network controls.

These poor cybersecurity practices, the FTC says, led to Verkada falling victim to at least two breaches, including a March 2021 incident in which a hacktivist claimed to be able to access video footage from up to 150,000 internet-connected Verkada cameras.

Verkada, which has agreed to settle with the FTC, has clarified that only 97 of its 6,000 customers actually had their cameras accessed by the hacker.

The FTC’s complaint also alleges that Verkada was aware of positive ratings and reviews posted by employees and a venture capital investor, which did not disclose its association with the company.

Additionally, Verkada allegedly violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) by sending a flood of commercial emails to prospective customers without allowing them to opt out, honoring opt-out requests, or providing a physical postal address in the emails.

Advertisement. Scroll to continue reading.

The FTC’s proposed order (PDF), which must be approved by a federal judge, will require Verkada to implement a comprehensive information security program, will prevent it from making misrepresentations about its privacy and data security practices, and will require it to pay a $2.95 million monetary penalty for its email marketing practices.

“There was no fine imposed related to the security incident, but we have agreed to pay $2.95 million to resolve the FTC’s claims about our past email marketing practices. We do not agree with the FTC’s allegations, but we have accepted the terms of this settlement so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way,” Verkada said.

Related: FTC Sending $5.6 Million in Refunds to Ring Customers Over Security Failures

Related: FTC Proposes Strengthening Children’s Online Privacy Rules to Address Tracking, Push Notifications

Related: Senators Push to Reform Police’s Cellphone Tracking Tools

Related: FTC Bans SpyFone From Surveillance Business for Selling Stalkerware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights