The Federal Trade Commission (FTC) requires security camera vendor Verkada to create a comprehensive information security program as part of a settlement after multiple security failures enabled hackers to access live video feeds from internet-connected cameras.

Many cameras were located in sensitive environments, such as women’s health clinics, psychiatric hospitals, prisons, and schools.

FTC alleges that Verkada not only failed to implement basic security measures to protect the cameras from unauthorized access but also misrepresented the products’ security to customers with unbased promises and reviews submitted by investors.

Moreover, Verkada was found to violate the CAN-SPAM Act by bombarding aspiring customers with promotional emails without giving them opt-out choices.

The company agreed to pay a $2.95 million settlement for these past email marketing campaigns.

Security lapses

In March 2021, it was revealed that a group of hackers (APT-69420 Arson Cats) leveraged a vulnerability in Verkada’s customer support server, which provided admin-level access.

Abusing these elevated privileges, the hackers accessed Verkada’s Command platform, which the FTC says opened access to 150,000 live camera feeds.

The hackers extracted several gigabytes of video footage, screenshots, and customer details from the accessed cameras.

In the original summary of the 2021 incident, Verkada notes that during the intrusion, the hackers accessed cameras and viewed image data from 97 customers, accounting for less than two percent of the company’s customer base. 

After many hours of roaming through Verkada’s internal systems without anyone attempting to block them, the hackers self-reported the breach to the media and released recorded video as proof of the hack.

Before that incident, in December 2020, a hacker exploited a flaw in a legacy firmware build server within Verkada’s network and installed Mirai on it to launch denial-of-service (DoS) attacks.

The camera vendor did not realize the compromise until two weeks later when Amazon Web Services (AWS) flagged suspicious activity on the breached server, the complaint notes.

The FTC says that by claiming to use “best-in-class data security tools and best practices” to protect customer data, Verkada is deceptive and does not represent the truth.

Specifically, Verkada did not implement basic security measures on its products, such as demanding the use of complex passwords, encrypting customer data at rest, and implementing secure network controls.

Additionally, Verkada’s claims about its products being compliant with the Health Insurance Portability and Accountability Act (HIPAA) and also the EU-U.S. and Swiss-U.S. Privacy Shield frameworks are false and misleading according to the FTC.

Penalties and provisions

Verkada has agreed to pay $2.95 million in a settlement with the FTC over its past email marketing campaigns.

In addition, the company must develop and implement a comprehensive security program according to which its own IT team and independent third parties will conduct regular security assessments, implement and test safeguards, and organize employee training on data security.

Verkada is prohibited from misrepresenting its privacy, security practices, or compliance with standards like HIPAA and the Privacy Shield in the future.

For the next 20 years, Verkada will have to report any cybersecurity incidents to the FTC within 10 days after notifying another U.S. government entity, enclosing the full details of the incident.

Finally, Verkada’s commercial emails should now include unsubscribe options so that users can easily opt-out if they wish.

The complete order and FTC’s demands can be found in the stipulated order document.

In a statement on Friday, Verkada said that while not agreeing with FTC’s allegations, it accepted the terms of the settlement.