web analytics

Verkada Agrees to $2.95M Civil Penalty After Hacks – Source: www.databreachtoday.com

verkada-agrees-to-$295m-civil-penalty-after-hacks-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Cloud Security
,
Legislation & Litigation
,
Security Operations

Cloud-Based Security Camera Firm Pledges Better Security Ion US FTC Settlement

Marianne Kolbasuk McGee (HealthInfoSec) •
August 30, 2024    

Verkada Agrees to $2.95M Civil Penalty After Hacks
The U.S. Federal Trade Commission alleges that lax security practices allowed hackers to access sensitive video footage from Verkada’s IP-enabled security cameras (Image: Verkada)

A California cloud-based security camera company agreed to pay a $2.95 million civil penalty and implement a comprehensive security program after hackers in 2021 accessed video from 150,000 internet-connected security cameras, including from devices placed inside psychiatric hospitals and women’s health clinics.

See Also: Wipro, AWS Team up to Address Compliance in the Cloud Era

A complaint from the U.S. Federal Trade Commission against San Mateo-based Verkada alleges that the company failed to use appropriate information security practices to protect customers’ and consumers’ personal information collected through its security cameras.

Besides the multimillion dollar financial penalty, a consent order agreed to by the company commits it to implementing a comprehensive security program and submitting annual risk assessments to the FTC for the next two decades. The order still requires approval by a federal judge.

The proposed consent order also settles allegations that Verkada violated federal anti-spam email protections by flooding prospective customers with a barrage of commercial emails and failing to include the option to unsubscribe or opt-out. The company also did not honor opt-out requests, and provide a physical postal address in the emails, the FTC said.

Verkada’s primary product are IP-enabled security cameras that store customer data and archived video footage using Amazon Web Services’ cloud-based storage. Between 2019 and 2021, Defendant sold more than 240,000 security cameras, the agency said.

Verkada’s allegedly lax security included a failure to require unique and complex passwords, adequately encrypt customer data, and implement secure network controls. As a result of these security failures, Verkada experienced at least two security breaches between December 2020 and March 2021.

In the March 2021 breach, a hacker accessed video footage from over 150,000 internet-connected Verkada cameras as well as other customer information, such as physical addresses, audio recordings, and customer WiFi credentials (see: Startup Probes Hack of Internet-Connected Security Cameras).

“The intruder had access to over 150,000 live customer cameras and viewed patients in psychiatric hospitals – including patients resting in hospital beds – and women’s health clinics, young children playing inside of a room, and incarcerated persons inside of their cells,” the FTC said.

In the December 2020 breach, a hacker leveraged a security flaw in a legacy firmware buildserver after an employee failed to restore the original security settings for the server, the FTC said. Hackers installed Mirari botnet software “onto the server and performed malicious activity, including weaponizing the server to launch denial-of-service attacks against other third-party internet addresses. Defendant was not aware that the server was compromised until AWS security flagged the activity more than two weeks later.”

Verkada in a Friday statement said it does not agree with the FTC’s allegations, but has accepted the terms of the settlement “so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way.”

“We continue to prioritize strengthening Verkada’s data security posture,” the statement said.

Verkada collects and maintains a variety of customer information, including names, physical addresses, customer usernames and password hashes, customer site floorplans and and customer Wi-Fi credentials, the agency said in its complaint.

Its security cameras collect video footage “may include captures of consumers and of other potentially sensitive personal information regarding consumers, such as visible medical records,” the FTC said.

“Many such captures of consumers are inherently sensitive as one’s presence in a particular location necessarily reveals one’s personal information – for example, a consumer captured in a psychiatric hospital strongly suggests that said consumer is seeking mental health services,” the FTC said.

In addition to live surveillance capabilities, Verkada’s security cameras include “People Analytics” features that allow customers to view high resolution images of all consumers whose likenesses have either been recorded by their security cameras or uploaded to the company’s Command platform. That allows users to filter collected images by gender or clothing color, and search images through facial recognition or face matching technology.

The Commission voted 5-0 to in support of the proposed consent order.

Original Post url: https://www.databreachtoday.com/verkada-agrees-to-295m-civil-penalty-after-hacks-a-26179

Category & Tags: –

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Nathalie Cole
How Much 10 Companies Paid Their Virtual CISO Service in 2022 Benchmark by Nathaniel Cole
How Much 10 Companies Paid...
Tushar Subhra Dutta
Top 10 Cyber Attack Maps to See Digital Threats 2022 by Tushar Subhra Dutta – Cyber Security News.
Top 10 Cyber Attack Maps...
Microsoft
Microsoft Zero Trust Maturity Model
Microsoft Zero Trust Maturity Model
US Deparment of Defense
DevSecOps Fundamentals Guidebook – Tools & Activities by American Deparment of Defense
DevSecOps Fundamentals Guidebook – Tools...
Microsoft
Microsoft 365 and the NIST Cybersecurity Framework
Microsoft 365 and the NIST...
ACSC Australia
Cyber Incident Response Plan Template by ACSC & Australian Goverment
Cyber Incident Response Plan Template...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

LogRhythm
A Guide to User and Entity Behavior Analytics (UEBA)
A Guide to User and...
BONI YEAMIN
100 Offensive Linux Security Tools
100 Offensive Linux Security Tools
SentinelOne
90 DAYS A CISO’S JOURNEY TO IMPACT
90 DAYS A CISO’S JOURNEY...
ChiefExecutive
Ciberseguridad: Prioridad Estratégica para los CEO.
Ciberseguridad: Prioridad Estratégica para los...
CYBER SECURITY COALITION
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
CYBER SECURITY INCIDENT MANAGEMENT GUIDE
INL/EXT
Cybersecurity for Distributed Wind
Cybersecurity for Distributed Wind
ARTIC WOLF
Cybersecurity Compliance Guide
Cybersecurity Compliance Guide
ESRAA MOHAMAD
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
ELEARN SECURITY CERTIFIED INCIDENT RESPONSE
DRAGOS
Impact of FrostyGoop ICS Malware on Connected OT Systems
Impact of FrostyGoop ICS Malware...
Victor Tong
Digital Operational Resilience Act – Control Mappings
Digital Operational Resilience Act –...
ARMIS
DORA Resiliency Guide Strengthening Cybersecurity and Operational Resilience in the Financial Sector
DORA Resiliency Guide Strengthening Cybersecurity...
IGNITE Technologies
Docker Penetration Testing
Docker Penetration Testing

More Latest Published Posts

Apress
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
CyberJA
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
SOSAFE
CybercrimeTrends 2024 The latest threats and security best practices
CybercrimeTrends 2024 The latest threats and security best practices
Routledge
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Hidaia Mahmood Alassouli
Common Windows, Linux and Web Server SystemsHacking Techniques
Common Windows, Linux and Web Server SystemsHacking Techniques
Cigref
Surviving a Massive cyber-attack by Cigref
Surviving a Massive cyber-attack by Cigref
Splunk
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SOC SIEM Use Cases
SOC SIEM Use Cases
safecode
Six Pillars of DevSecOps- Collaboration and Integration
Six Pillars of DevSecOps- Collaboration and Integration
SentineOne
WatchTower I ntelligence-Driven Threat Hunting
WatchTower I ntelligence-Driven Threat Hunting
CNIL
Security of Personal Data
Security of Personal Data
OPSWAP
Securing ICS SCADA updates OT Environments
Securing ICS SCADA updates OT Environments
Top 300 Azure Sentinel Used Cases KQL (Kusto Query Language) queries
Top 300 Azure Sentinel Used Cases KQL (Kusto Query Language) queries
WITH SECURE
Threat Landscape Update Report
Threat Landscape Update Report
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
ThreatRadar
Threat Intel Roundup
Threat Intel Roundup
Mihaela Curcă
The Role of Cyber Espionage inInternational Relations
The Role of Cyber Espionage inInternational Relations
GLOBAL NETWORK OF DIRECTOR INSTITUTES
THE FUTURE OF BOARD GOVERNANCE
THE FUTURE OF BOARD GOVERNANCE
Deloitte
The CISO’s Guide to Generative AI
The CISO’s Guide to Generative AI
Capgemini
PROMPT THE FUTURE
PROMPT THE FUTURE
Google
We’re All in this Together
We’re All in this Together
CyberSN
U.S. Cybersecurity Job Posting Data Report
U.S. Cybersecurity Job Posting Data Report
CISA | Cybersecurity and Infrastructure Security Agency
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
McKinsey & Company
Transforming risk efficiency and effectiveness
Transforming risk efficiency and effectiveness
Arnold Antoo
Zero Trust Security Model
Zero Trust Security Model
Richea Perry
Your Cybersecurity Toolkit
Your Cybersecurity Toolkit
IGNITE Technologies
Wireless Penetration Testing
Wireless Penetration Testing