Security camera company Verkada agrees to pay FTC almost $3M


The Federal Trade Commission (FTC) has asked the security camera company Verkada to pay $2.95 million. The company violated CAN-SPAM laws relating to its email practices and didn't implement proper security measures, which allowed hackers to watch customers.

Verkada is a US-based camera security company that works in various sectors, including education, healthcare, and hospitality. The company sells IP-enabled security cameras that, if not protected, pose significant security risks.

The Department of Justice (DOJ) and the FTC allege that the company failed to protect customers' personal information and allowed hackers to snoop on them in their most vulnerable environments.

ADVERTISEMENT

According to the FTC, hackers potentially had access to 150,000 live security feeds to watch patients in psychiatric hospitals, women’s health clinics, schools, and prisons.

However, Verkada released a statement saying that attacker compromised its platform and accessed security camera footage of 97 out of 6,000 customers at the time.

In March 2021, a threat actor successfully accessed live camera feeds and was able to watch customers without them knowing. Verkada was supposedly unaware this had happened until the hacker publicly claimed the attack.

Not only did the threat actor watch people through Verkada’s security cameras, but the hacker also downloaded sensitive data from customers, including names, email addresses, physical locations, usernames and passwords, geolocation of the security cameras, and more.

In addition to the poor security practices, the FTC and DOJ said that people associated with Verkada left misleading positive reviews of their products and services. Venture capitalists and employees left these reviews without disclosing their relationship with the company.

Verkada also allegedly violated the Controlling the Assault of Non-Solicited Pornography and Marketing Act or CAN-SPAM Act, which regulates commercial messaging.

The company supposedly spammed customers with commercial emails and didn’t allow customers to unsubscribe or opt out of these messages. Verkada allegedly sent out 30 million emails over a three-year period.

Verkada is now required to adopt a robust security program that includes encryption of information and multi-factor authentication to access sensitive information. The company will need to have this security program assessed by external parties. Verkada will need to pay almost $3 million in fines for violating the CAN-SPAM Act.

ADVERTISEMENT