The Federal Trade Commission (FTC) has imposed a $2.95 million fine on the California-based security camera provider Verkada. The penalty resolves allegations that the company failed to implement appropriate information security practices, violated the FTC Act, and bombarded customers with unsolicited commercial emails violating the CAN-SPAM Act.
What happened
The FTC alleged that Verkada, a vendor of IP-enabled security cameras used in sensitive locations like hospitals, prisons, and schools, had not taken adequate measures to safeguard customer data. Specifically, the company was accused of not requiring unique and complex passwords, failing to implement secure network controls, and inadequately encrypting customer information. These security lapses resulted in at least two data breaches between December 2020 and March 2021.
In the first incident, a hacker installed malicious Mirai botnet software on Verkada's legacy firmware build server after an employee neglected to restore the original security settings. The compromised server was then used to carry out various malicious activities, including denial-of-service attacks on third-party internet addresses. It took Verkada two weeks to detect and address the intrusion, which was only brought to their attention by Amazon Web Services (AWS) flagging the unauthorized activity.
The second breach occurred in March 2021, when a hacking group exploited a vulnerability in Verkada's customer support server to gain administrative-level access. This allowed the hackers to access Verkada's Command platform, providing live feeds from more than 150,000 security cameras. The attackers then downloaded several gigabytes of video footage, screenshots, and sensitive customer data. Interestingly, the breach was self-disclosed by the hackers themselves, alerting Verkada to the incident.
Going deeper
In addition to the security lapses, the FTC also alleged that Verkada had misled consumers about its compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks. Despite Verkada's claims of adhering to these data privacy standards, the company's security practices were found to be non-compliant.
Furthermore, the FTC accused Verkada of violating the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. The regulator alleged that the company had flooded prospective customers with commercial emails without providing an option to unsubscribe or opt out, and without including a physical address in the emails.
What was said
In the wake of the FTC's findings, Samuel Levine, the Director of the FTC's Bureau of Consumer Protection, made a statement: "When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do. Companies that fail to secure and protect consumer data can expect to be held responsible."
Verkada, for its part, acknowledged the FTC's allegations but stated that it disagreed with them. The company, however, chose to accept the terms of the settlement to allow it to move forward and confirmed that it would continue to strengthen its security posture.
Why it matters
This case is an example of what can go wrong when data security is overlooked. Verkada’s lapses didn’t just result in fines—they exposed sensitive customer information and undermined trust. The FTC’s response also shows that regulators are serious about enforcing rules on privacy and email practices. For companies, the message is simple: protect your data and be honest about your compliance, or face the consequences.
FAQs
What is the FTC Act?
The Federal Trade Commission (FTC) Act is a U.S. law that established the Federal Trade Commission (FTC) and empowers it to protect consumers from unfair or deceptive business practices. The FTC Act allows the agency to investigate and take action against companies that engage in activities such as false advertising, fraud, and other practices that harm consumers or stifle competition.
What is the CAN-SPAM Act?
The CAN-SPAM Act is a U.S. law that sets the rules for commercial email, establishing requirements for sending unsolicited emails. It gives recipients the right to opt out of receiving emails, requires that commercial emails include a physical postal address, and prohibits deceptive subject lines and headers.
What is a denial-of-service (DoS) attack?
A denial-of-service (DoS) attack is a malicious attempt to disrupt the normal functioning of a website, server, or network by overwhelming it with a flood of internet traffic. This can cause the targeted system to become slow, unresponsive, or completely unavailable to users. Attackers typically use multiple sources, known as a distributed denial-of-service (DDoS) attack, to amplify the impact.
Farah Amod
