The US-based company was also ordered to take action following security breaches in 2020 and 2021 that led to the exposure of sensitive hospital and prison security camera footage.
The US Federal Trade Commission (FTC) fined US-based security camera company Verkada $2.9 million following allegations of a series of cybersecurity failures which led to multiple breaches of the company’s network and video storage platforms.
The fine was specifically for violations of the US CAN-SPAM Act after the company “flooded” potential customers with a flood of emails. However, the FTC also required the company to “implement a comprehensive information security program” in the wake of its security incidents.
In a complaint filed in late August, the FTC said that Verkada, which has offices around the world, including Australia, had “engaged in multiple practices that, taken individually or in the aggregate, failed to provide reasonable or adequate security for the personal information that we collect and maintain from and about clients and consumers.”
Because of those flaws, the FTC said, a threat actor was able to install the Mirai botnet malware on a legacy server on Verkada’s network in 2020. This botnet operated for two weeks before Amazon Web Services reported its activity to Verkada.
Despite hiring several cybersecurity firms to investigate the incident and improve its cybersecurity posture, the FTC said Verkada had failed to heed multiple warnings about flaws in its network security, leading to another actor threat group gained access to the company’s network on March 8. 2021.
In this case, however, the hacker was able to gain access to a support account and super administrator-level access during a botched server upgrade. The hacker then had privileged access to Verkada’s cloud-based Command video management platform and more than 150,000 live security camera feeds, the FTC said.
According to the FTC complaint, the perpetrator had access to live images of “patients in psychiatric hospitals (including patients resting in hospital beds) and women’s health clinics, young children playing inside a room, and people imprisoned inside their cells”.
Once again, Verkada was unaware of the intrusion and only discovered the incident after the hacker contacted the media, who, in turn, contacted Verkada for comment.
Verkada agreed to pay the settlement and undertake a review of its information security systems, but said it denies the FTC’s allegations.
“We disagree with the FTC’s allegations, but we have agreed to the terms of this settlement so we can continue our mission and focus on protecting people and places in a privacy-sensitive manner,” a spokesperson said. from Verkada in a statement on August 30 statement.
“Only a few of the 150,000 live customer cameras that the hacker had access to were accessed. There is no evidence that the hacker accessed more than a subset of the cameras owned by 97 customers (out of approximately 6,000 total customers). then)”.
The FTC, however, believes that the agreement reinforces the need for “robust data security measures.”
“Failure to protect confidential information puts consumers at risk,” Brian M. Boynton, Principal Deputy Assistant Attorney General for the Justice Department’s civil division, said in a statement.
“We will continue to work with the FTC to hold companies accountable for such violations.”
UPDATED 04/24/09 to correct the exact nature of the fine.