The Federal Trade Commission (FTC) is requiring security camera firm Verkada to implement a security program after the company was hit with two security incidents between December 2020 and March 2021.
The mandate against the Calif.-based company is part of a settlement for allegations that Verkada failed to use appropriate information security practices leading to the breaches. It’s a mandate that the FTC has previously ordered for companies with complaints related to lax security practices, such as Drizly. In addition to this requirement, the FTC last week also hit Verkada with a $2.95 million fine for violating the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) by flooding potential customers with emails that didn’t include an option to unsubscribe.
“When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement in the FTC’s announcement last week. “Companies that fail to secure and protect consumer data can expect to be held responsible.”
Verkada Security Incidents
The complaint stems from two separate security incidents at Verkada. In the first incident in December 2020, a threat actor leveraged a security flaw in a legacy firmware build server (after an employee did not restore original security settings for the server), installed the Mirai malware on the server, and used it to launch denial-of-service attacks against other third-party internet addresses. Verkada did not know that the server was compromised until AWS security uncovered the activity two weeks later, according to the DoJ.
Verkada hired a third-party consulting firm to conduct a security assessment of the company, and that firm flagged several issues, however, the DoJ said that Verkada did not address these known security gaps. Then, in a March 2021 incident that was widely publicized in news reports, a hacker was able to access a Verkada support level account with administrative privileges, and then used a security flaw in the customer support server to gain Super Admin privileges. The hacker was then able to view sensitive video footage from over 150,000 internet-connected cameras, including ones that revealed patients in psychiatric hospitals and women’s health clinics, and access other data like physical addresses, audio recording and customer Wi-Fi credentials.
“This breach occurred as a direct result of Defendant’s failure to take proper precautions during a scheduled server update and allowed the intruder to have unfettered access to Defendant’s entire network,” said the DoJ.
According to the complaint by the Department of Justice, Verkada failed to encrypt customer data and did not have an adequate security policy. It also did not set up “reasonable access management controls” like requiring unique and complex passwords, enforcing controls like MFA and issuing alerts for things like unsuccessful login to administrative accounts. The company also lacked various data protection controls, centralized logging and alerting capabilities, secure network controls and vulnerability management policies.
The complaint also alleged that Verkada was not compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the EU-U.S. Privacy Shield framework, and the Swiss-U.S. Privacy Shield framework, and that the company misled its customers about being compliant with these frameworks. The FTC said that Verkada also misled consumers by not disclosing that certain ratings and reviews for its products were written by employees and a venture capitalist investor.
Verkada’s Response
The FTC has hit several companies with various fines over the years for their security failures that led to breaches, including a $60 million fine against Morgan Stanley, and a $500,000 penalty for online retailer CafePress.
In a post about the settlement, Verkada argued it has strengthened its security posture by achieving SOC 2 Type 1 compliance in 2021 and SOC 2 Type 2 compliance in 2022, and ISO 27001, ISO 27017 and 27018 certifications in 2024. The company said it will comply with the FTC’s mandate to create a security program, which will be assessed in biennial reviews by a third-party company.
“There was no fine imposed related to the security incident, but we have agreed to pay $2.95 million to resolve the FTC’s claims about our past email marketing practices,” according to Verkada’s statement. “We do not agree with the FTC's allegations, but we have accepted the terms of this settlement so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way.”