The Federal Trade Commission (FTC) has filed a complaint against security camera firm Verkada claiming its poor security practices have allowed a hacker to access customers’ cameras.
Based in California, Verkada offers IP-enabled security cameras and other physical security products to customers in the US and abroad, touting “best-in-class data security tools and best practices”.
According to the FTC’s complaint, Verkada failed to implement appropriate information security practices, which allowed a hacker to access cameras over the internet and view patients in psychiatric hospitals and women’s health clinics.
The complaint also alleges that the company failed not only to protect its customers’ sensitive information, such as names, email addresses, and passwords, but also to encrypt the data and to implement secure network controls.
These poor cybersecurity practices, the FTC says, led to Verkada falling victim to at least two breaches, including a March 2021 incident in which a hacktivist claimed to be able to access video footage from up to 150,000 internet-connected Verkada cameras.
Verkada, which has agreed to settle with the FTC and pay $2.95 million, has clarified that only 97 of its 6,000 customers actually had their cameras accessed by the hacker.
The FTC’s complaint also alleges that Verkada was aware of positive ratings and reviews posted by employees and a venture capital investor, which did not disclose its association with the company.
Additionally, Verkada allegedly violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) by sending a flood of commercial emails to prospective customers without allowing them to opt out, honoring opt-out requests, or providing a physical postal address in the emails.
The FTC’s proposed order (PDF), which must be approved by a federal judge, will require Verkada to implement a comprehensive information security program, will prevent it from making misrepresentations about its privacy and data security practices, and will require it to pay a $2.95 million monetary penalty.
“There was no fine imposed related to the security incident, but we have agreed to pay $2.95 million to resolve the FTC’s claims about our past email marketing practices. We do not agree with the FTC’s allegations, but we have accepted the terms of this settlement so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way,” Verkada said.
Related: FTC Sending $5.6 Million in Refunds to Ring Customers Over Security Failures
Related: FTC Proposes Strengthening Children’s Online Privacy Rules to Address Tracking, Push Notifications
Related: Senators Push to Reform Police’s Cellphone Tracking Tools
Related: FTC Bans SpyFone From Surveillance Business for Selling Stalkerware
