Risky Biz News reports:
The FTC has fined security camera firm Verkada $2.95 million for failing to implement cybersecurity measures to protect its systems. The fine is related to a March 2021 security breach when a hacker accessed customer data and video footage from over 150,000 Verkada cameras. The hacker used the cameras to access and leak footage from psychiatric hospitals, women’s health clinics, police stations, and prisons. The FTC fine is also related to violations of the CAN-SPAM Act after Verkada was also caught flooding prospective customers with spam emails.
In a press release, the FTC states:
The Federal Trade Commission will require security camera firm Verkada to develop and implement a comprehensive information security program to settle allegations the company failed to use appropriate information security practices, which allowed a hacker to access customers’ security cameras.
Under a proposed order, which must be approved by a federal judge before it can go into effect, Verkada will also be required to pay a $2.95 million monetary penalty to settle allegations the company inundated prospective customers with commercial emails in violation of the CAN-SPAM Act, the largest penalty obtained by the FTC for a CAN-SPAM violation.
A complaint filed by the Department of Justice (DOJ) upon notification and referral from the FTC, alleged that Verkada failed to use appropriate information security practices to protect consumers’ personal information, which allowed a hacker to access internet-connected security cameras and view patients in psychiatric hospitals and women’s health clinics. The complaint also charged that Verkada was aware that employees and a venture capital investor posted positive ratings and reviews of Verkada and its products but failed to disclose their association or current employment status with Verkada.
But that’s not all. In addition to the firm experiencing two data breaches, the FTC alleges other violations:
Additionally, Verkada misled consumers with respect to its compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the EU-U.S. Privacy Shield framework, and the Swiss-U.S. Privacy Shield framework. According to the complaint, Verkada’s security practices were not compliant with either HIPAA or either Privacy Shield framework.
The complaint further alleges that Verkada also misled consumers by failing to disclose that certain online consumer ratings and reviews of its camera products were written by Verkada employees and a venture capital investor, according to the complaint. For example, a venture capitalist who invested in Verkada posted a five-star rating and positive review on Google Maps.
Lastly, the complaint alleges that Verkada violated the CAN-SPAM Act in several ways.
The full press release can be found at the FTC’s website.