The Federal Trade Commission (FTC) has taken action against US-based security camera firm Verkada, imposing a hefty fine of US$2.95 million. The action stems from allegations of a series of cybersecurity failures that led to multiple breaches of the company’s network and video storage platforms.
In a statement issued on August 28, 2024, the FTC stated that Verkada had “engaged in multiple practices that, taken individually or together, failed to provide reasonable or appropriate security for the personal information that it collected and maintained from and about customers and consumers.”
The Commission alleged that Verkada failed to implement reasonable security measures to protect the sensitive information it collected and maintained from its customers. This resulted in unauthorized access to Verkada’s systems by hackers, compromising the security footage of numerous organizations that rely on Verkada’s security camera systems.
Security Vulnerabilities Exposed Sensitive Data
According to the FTC complaint, Verkada’s security practices fell short of industry standards, The FTC complaint details several shortcomings in Verkada’s security practices, including inadequate password security, insecure default settings, limited multi-factor authentication, and insufficient access controls. These vulnerabilities were exploited by hackers, resulting in breaches of Verkada’s systems in 2020 and 2021.
The compromised footage might have contained sensitive information about individuals captured on camera, raising concerns about potential privacy violations and reputational damage for affected organizations.
The breaches exposed the security camera footage of hospitals, prisons, and other sensitive locations, potentially putting individuals and organizations at risk.
This raises concerns about potential privacy violations and reputational damage for affected organizations. Additionally, compromised security footage could provide valuable information to criminals, potentially compromising physical security measures.
Security Camera Firm Verkada’s Response
Following the FTC’s action, Verkada issued a statement acknowledging the fine and outlining steps taken to address the identified security vulnerabilities.
The company stated, “We reached a settlement with the Federal Trade Commission (the “FTC”) related to their investigation of our March 2021 data security incident, and separately, some of our e-mail marketing practices between 2019-2021. There was no fine imposed related to the security incident, but we have agreed to pay $2.95 million to resolve the FTC’s claims about our past email marketing practices. We do not agree with the FTC’s allegations, but we have accepted the terms of this settlement so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way.”
The FTC’s action sends a strong message to the security camera industry and all companies that handle sensitive data. Robust cybersecurity measures are no longer optional; they are a fundamental requirement. Organizations must prioritize data security by implementing strong password policies, enforcing MFA, and granting access on a least-privilege basis. Additionally, companies should remain vigilant and regularly review their security protocols to identify and address any potential vulnerabilities.
Beyond the Fine: Reputational Damage and Long-Term Effects
While the US$2.9 million fine is a significant financial penalty, the long-term impact of the FTC action on Verkada may be even more severe. The data breach has undoubtedly damaged Verkada’s reputation and customer trust. Regaining that trust will require a sustained commitment to improving security practices and demonstrating transparency. Verkada will need to work diligently to convince customers that their security camera systems are safe and reliable.