Verkada has been accused by the US Federal Trade Commission (FTC) of security failings that allowed hackers to access customers’ security camera footage.
The FTC's proposed order will require the security camera company to develop and implement a comprehensive information security program to ensure it adequately protects consumer data.
Verkada is also set to pay a $2.95m penalty for allegedly violating the Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act in a number of ways, including not honoring email recipients’ requests to unsubscribe to marketing emails.
The order will need to be approved by federal judge before it goes into effect.
Read now: Georgia Tech Sued Over Cybersecurity Violations
Hackers Gained Access to Sensitive Video Footage
The order relates to a complaint filed by the Department of Justice (DoJ) upon referral by the FTC on August 30, 2024, which alleges that Verkada failed to use appropriate information security practices to protect the personal information it collects.
This includes customers’ video footage and data about customer accounts, such as names, email addresses, passwords and site floorplans.
The complaint alleges that Verkada failed to require unique and complex passwords, adequately encrypt customer data, and implement secure network controls. This is despite extensive claims made by the California-based firm that it takes data security and customer privacy seriously.
The DoJ claimed that the firm experienced at least two security breaches as a result of these failings between December 2020 and March 2021.
In the March 2021 breach, a hacktivist group gained access to the live feeds of 150,000 cameras around the world, including women’s health clinics and psychiatric hospitals. According to Verkada, there is no evidence that the hacker accessed more than a subset of the cameras owned by 97 customers during this incident.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, commented: “When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do.”
Verkada Accused of Misleading Customers
The DoJ complaint said that Verkada mislead consumers with respect to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the EU-US Privacy Shield framework, and the Swiss-US Privacy Shield framework. The agency claims that Verkada’s security practices were not compliant with either HIPAA or the Privacy Shield frameworks.
Additionally, Verkada is accused of misleading consumers by failing to disclose that certain online consumer ratings and reviews of its camera products were written by Verkada employees and a venture capital investor.
Verkada Accepts Settlement
In a statement responding to the order on August 30, Verkada said it has voluntarily agreed to pay the $2.95m as a settlement, and insisted no fine was issued.
"We do not agree with the FTC's allegations, but we have accepted the terms of this settlement so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way," the firm stated.
Article updated on September 3