A $2.95 million financial penalty payment is proposed by the Federal Trade Commission (FTC) for Verkada, a security camera vendor based in California, to settle the company’s alleged violations. The company failed to implement adequate data security practices violating the FTC Act and sent customers unsolicited emails without an option to unsubscribe violating the CAN-SPAM Act.
Verkada provides IP-enabled security cameras that stream live footage and store video in Amazon Web Services (AWS) servers. These cameras are used in sensitive environments such as prisons, schools, women’s health clinics, and psychiatric hospitals. Despite Verkada’s claims of prioritizing customer privacy and data security, the FTC found significant lapses in its security measures. These included weak password requirements, lack of secure network controls, and inadequate encryption of customer data. The FTC pointed to two breaches, one in December 2020 and another in March 2021. In the first breach, an employee failed to restore the security configurations after working on the server, which allowed a hacker to compromise Verkada’s server with Mirai botnet software. After the breached server was used for malicious activities, it was detected 2 weeks after when AWS flagged the unauthorized activity. In the second breach, the hackers exploited a vulnerability in Verkada’s customer support server. After gaining administrative privileges, the hackers accessed over 150,000 live camera feeds in Verdaka’s Command platform and downloaded video footage, screenshots, and sensitive customer data. The company discovered the breach after the hackers alerted Verkada about the breach.
The FTC also alleged that Verkada misled consumers about its compliance with HIPAA and international privacy frameworks like the EU-U.S. and Swiss-U.S. Privacy Shields. Additionally, Verkada violated the CAN-SPAM Act by sending commercial emails without opt-out options and failing to disclose the affiliation of employees and investors who posted favorable reviews online. A complaint on Verdaka was filed with the Department of Justice, seeking civil penalties, a permanent injunction, and other relief.
The proposed settlement requires Verkada to implement a complete data security program, avoid misrepresenting its privacy practices, comply with CAN-SPAM Act, and pay the $2.95 million penalty. This fine marks the biggest financial penalty ever imposed by the FTC for a CAN-SPAM Act violation. Though Verkada disagreed with the allegations, the company chose to settle and confirmed it will continue strengthening its security measures. The settlement still requires approval from a federal judge to take effect.
Director Samuel Levine of the FTC’s Bureau of Consumer Protection stated that when consumers allow companies into their private spaces through security products, they assume basic levels of security, which Verkada failed to deliver. Companies neglecting consumer data security will be held responsible.