The Federal Trade Commission (FTC) has fined security camera company Verkada $2.9 million after the FTC found the company failed to protect customer data or implement proper security measures. Verkada was the target of at least two security breaches between 2020 and 2022, allowing threat actors to gain access to sensitive data.
The company claimed it used “best-in-class data security tools” and practices to protect customer data from unauthorized access. However, customers were left vulnerable after hackers gained access to 150,000 live feeds from internet-connected cameras, including in schools, prisons and psychiatric hospitals.
The company was also found to be in violation of the CAN-SPAM Act after it sent customers marketing emails without an option to unsubscribe. The company reportedly sent 30 million emails over three years.
Bad practice
The FTC established that Verkada failed to adequately encrypt customer data, implement secure network controls, or require complex passwords — which meant that customer data such as emails, passwords, and full names were exposed. The company’s security practices reportedly failed to comply with the HIPAA and Privacy Shield frameworks.
“When consumers invite businesses into private spaces to monitor consumers using their security cameras and other products, they expect those businesses to provide a basic level of security, which Verkada failed to do,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Businesses that fail to secure and protect consumer data can expect to be held accountable.”
The complaint also alleges that Verkada misled customers by failing to disclose that some positive online reviews were written by employees and investors. In addition to the fine, Verkada must implement a “comprehensive” information security program with external review and audits. The security program must include multi-factor authentication and encryption for sensitive information.
Via Cyber News
