Verkada Penalized $2.95M by FTC for Security Failures Exposing 150,000 Camera Feeds

Introduction

In a significant development in the cybersecurity domain, the Federal Trade Commission (FTC) has proposed a $2.95 million penalty against security camera vendor Verkada. The penalty stems from multiple security failures that allowed hackers to access live video feeds from 150,000 internet-connected cameras. These breaches exposed sensitive environments, including women's health clinics, psychiatric hospitals, prisons, and schools, highlighting the severe implications of inadequate security measures.

The Security Failures

Verkada, a company that markets its products as secure and reliable, has come under fire for failing to implement fundamental security practices. The FTC alleges that the company misrepresented the security of its products, deceiving customers with unsubstantiated claims of "best-in-class data security tools and best practices."

The most notable breach occurred in March 2021, when a hacker group exploited a vulnerability in Verkada's customer support server. This security flaw granted the attackers admin-level access to Verkada's Command platform, which, in turn, exposed live video feeds from 150,000 cameras. The hackers accessed and extracted gigabytes of video footage, screenshots, and customer information. Despite having access to Verkada’s systems for several hours, the breach went unnoticed by the company until the hackers themselves reported it to the media, releasing the footage as proof of their access.

In a previous incident in December 2020, another hacker exploited a vulnerability in Verkada's legacy firmware build server. The attacker installed Mirai malware on the server, launching denial-of-service (DoS) attacks. This breach also went undetected by Verkada until Amazon Web Services (AWS) flagged suspicious activity two weeks later.

FTC Allegations and Violations

The FTC's complaint against Verkada includes several serious allegations. The agency contends that Verkada failed to enforce basic security measures, such as requiring complex passwords, encrypting customer data at rest, and implementing secure network controls. Furthermore, Verkada's claims of compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the EU-U.S. and Swiss-U.S. Privacy Shield frameworks were deemed false and misleading.

In addition to these security failures, Verkada was found to have violated the CAN-SPAM Act by sending unsolicited promotional emails without providing recipients with opt-out options.

Penalties and Compliance Requirements

As part of the settlement, Verkada will pay a $2.95 million civil penalty. The company is also required to develop and implement a comprehensive security program. This program must include regular security assessments by both its internal IT team and independent third parties, the implementation and testing of security safeguards, and ongoing employee training on data security.

Verkada is now prohibited from making false claims about its privacy, security practices, or compliance with regulatory standards such as HIPAA and the Privacy Shield. Additionally, the company must report any cybersecurity incidents to the FTC within 10 days of notifying another U.S. government entity, providing full details of the incident.

Finally, Verkada must ensure that all commercial emails include an unsubscribe option, allowing recipients to opt out of future communications easily.

Conclusion

The FTC's action against Verkada serves as a stark reminder of the critical importance of robust cybersecurity measures in today's digital landscape. As this case demonstrates, failing to protect sensitive data and misrepresenting security practices can lead to severe consequences, both in terms of regulatory penalties and reputational damage. Organizations must prioritize implementing and maintaining strong security protocols to safeguard their customers and avoid similar pitfalls.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.