Excerpt from BleepingComputer Article, Published on Sep 02, 2024.
The Federal Trade Commission (FTC) has imposed a $2.95 million penalty on security camera vendor Verkada due to multiple security failures that allowed hackers to access live video feeds from 150,000 internet-connected cameras. These cameras were located in highly sensitive environments, including women’s health clinics, psychiatric hospitals, prisons, and schools. The FTC alleges that Verkada failed to implement basic security measures, such as enforcing complex passwords, encrypting customer data, and securing network controls. Despite claiming to use “best-in-class” security practices, Verkada misled customers with deceptive promises and reviews submitted by investors.
In a significant breach in March 2021, hackers exploited a vulnerability in Verkada’s customer support server to gain admin-level access, enabling them to access the company’s Command platform and view 150,000 live camera feeds. The hackers, known as APT-69420 Arson Cats, extracted gigabytes of video footage and customer data, and later self-reported the breach to the media. Prior to this, in December 2020, another hacker exploited a flaw in Verkada’s network to install Mirai malware, launching denial-of-service attacks.
The FTC also found Verkada in violation of the CAN-SPAM Act, as the company sent promotional emails to prospective customers without providing an option to unsubscribe. As part of the settlement, Verkada is required to develop a comprehensive security program, undergo regular security assessments by independent third parties, and train employees on data security practices. Verkada is also prohibited from misrepresenting its security practices and compliance with standards like HIPAA. For the next 20 years, the company must report any cybersecurity incidents to the FTC within 10 days of notifying another U.S. government entity. Although Verkada did not agree with all allegations, it accepted the terms of the settlement.
To delve deeper into this topic, please read the full article on BleepingComputer.
