The Federal Trade Commission (FTC) proposes a $2.95 million penalty on security camera vendor Verkada for multiple security failures that enabled hackers to access live video feeds from 150,000 internet-connected cameras. Many of the cameras were located in sensitive environments, such as women’s health clinics, psychiatric hospitals, prisons, and schools.
FTC alleges that Verkada not only failed to implement basic security measures to protect the cameras from unauthorised access but also misrepresented the products’ security to customers with unbased promises and reviews submitted by investors. Moreover, Verkada was found to be in violation of the CAN-SPAM Act by bombarding aspiring customers with promotional emails without giving them opt-out choices.
In March 2021, it was revealed that a group of hackers (APT-69420 Arson Cats) leveraged a vulnerability in Verkada’s customer support server, which provided admin-level access.
Abusing these elevated privileges, the hackers accessed Verkada’s Command platform, which the FTC says opened access to 150,000 live camera feeds. From there, the hackers extracted several gigabytes of video footage, screenshots, and customer details.
In the original summary of the 2021 incident, Verkada notes that during the intrusion the hackers accessed cameras and viewed image data from 97 customers, which accounted for less than two percent of the company’s customer base at the time. After many hours of roaming through Verkada’s internal systems without anyone attempting to block them, the hackers self-reported the breach to the media, and released recorded video as proof of the hack.
Before that incident, in December 2020, a hacker exploited a flaw in a legacy firmware build server within Verkada’s network installed Mirai on it to launch denial-of-service (DoS) attacks. The camera vendor did not realise the compromise until two weeks later when Amazon Web Services (AWS) flagged suspicious activity on the breached server, the complaint notes.
The FTC says that by claiming to use “best-in-class data security tools and best practices” to protect customer data Verkada is deceptive and not representative of the truth. Specifically, Verkada did not implement basic security measures on its products, such as demanding the use of complex passwords, encrypting customer data at rest, and implementing secure network controls.
Additionally, Verkada’s claims about its products being compliant with the Health Insurance Portability and Accountability Act (HIPAA) and also the EU-U.S. and Swiss-U.S. Privacy Shield frameworks are false and misleading according to the FTC. Verkada is required to pay a $2.95 million civil penalty meant to act as a guarantee for future compliance with the law.
In addition, the company must develop and implement a comprehensive security program according to which its own IT team and also independent third parties will conduct regular security assessments, implement and test safeguards, and organise employee training on data security.