The Federal Trade Commission (FTC) said on Aug. 30 that Verkada has agreed to a proposed settlement over allegations that its security failures had enabled hackers to access footage from over 150,000 internet-connected cameras in 2021.
The California-based surveillance camera company Verkada failed to use “appropriate information security practices” to protect consumers’ personal information, the FTC said in a statement.
The agency also levied a $2.95 million fine “to settle allegations the company inundated prospective customers with commercial emails,” in the largest penalty of its kind, the FTC said.
Verkada agreed to pay the settlement but rejected the FTC’s allegations.
The Department of Justice (DOJ) filed a complaint upon notification and referral from the FTC, alleging that Verkada’s security failures had led to a hacker gaining access to security cameras in sensitive areas.
The complaint cited a March 2021 breach, when a hacker accessed “thousands” of over 150,000 customer cameras in psychiatric hospitals, women’s health clinics, elementary schools, and prison cells. It alleged that Verkada was unaware of the breach until the hacker self-reported it to the media.
The complaint also alleged that Verkada misled consumers by failing to disclose that certain online consumer ratings and reviews of its products were written by its employees and a venture capital investor.
The FTC stated that a venture capitalist of Verkada posted a five-star rating and positive review about the company’s products on Google Maps.
It also accused Verkada of violating the CAN-SPAM Act of 2003—which sets rules for commercial email—by sending more than 30 million commercial email messages to customers between 2019 and 2022.
According to the suit, numerous customers complained about Verkada’s “incessant emails,” claiming they were unable to unsubscribe despite making “substantial efforts” to notify the company.
As part of the settlement terms, the FTC has ordered Verkada to implement a comprehensive information security program with third-party audits. Verkada is also prohibited from misrepresenting its data security practices and violating the CAN-SPAM Act.
“When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement.
“Companies that fail to secure and protect consumer data can expect to be held responsible,” Levine added.
Verkada Denies Allegations
“There was no fine imposed related to the security incident, but we have agreed to pay $2.95 million to resolve the FTC’s claims about our past email marketing practices,” the company said in a statement.“We do not agree with the FTC’s allegations, but we have accepted the terms of this settlement so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way.”
Verkada said that more than 26,000 organizations across 85 countries use its services and the company has over 2,000 employees.