Article Details

Security biz Verkada to pay $3m penalty under deal that also enforces infosec upgrade. Allowed access to 150k cameras, some in sensitive spots, but has been done for spamming. Physical security biz Verkada has agreed to cough up $2.95 million following an investigation by the US Federal Trade Commission (FTC) – but the payment won’t make good its past security failings, including a blunder that led to CCTV footage of Tesla, Cloudflare, and others being snooped on. Instead, the fine is about spam. You may remember the California outfit from a 2021 security incident that flowed from an admin-level username and password combo for its systems being left online. Hacktivists found those credentials and used them to access an estimated 150,000 CCTV cameras – including some in Tesla factories, Cloudflare offices, hospitals, and a prison. One of the hacktivists involved was arrested by Swiss police, reportedly for unrelated past crimes. The incident saw US authorities file a complaint against Verkada, alleging numerous security failings within the business itself – including possible Health Insurance Portability and Accountability Act (HIPAA) violations and misrepresentations of other activities. The complaint also alleged Verkada was a spammer. The FTC has agreed to settle with Verkada over the spamming allegations. According to a proposed order [PDF] agreed to the regulator and Verkada, the biz sent promotional emails without the option to unsubscribe, and without a physical address listed – in violation of America's Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. That said, the biz will have to step up its security practices – including implementing a proper infosec program for the next 20 years, training staff in best practices at least once a year, implementing multi-factor authentication, and engaging a third party to check its systems. "When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do," asserted Samuel Levin, director of the FTC's bureau of consumer protection. "Companies that fail to secure and protect consumer data can expect to be held responsible." Verkada neither admits nor denies any of the allegations in the complaint For what it's worth, Verkada scored $100 million in its latest venture capital funding round in October 2023 – so it can afford this settlement. "Verkada neither admits nor denies any of the allegations in the complaint," a spokesperson told The Register. "No civil penalty was imposed related to the security incident, but Verkada has agreed to pay $2.95 million to resolve the FTC's claims about our past email marketing practices." Nevertheless, in canned statements, the feds were pretty clear about what concerned them the most about the case – not even mentioning spam but instead concentrating on security. "This settlement underscores the importance of robust data security measures, especially for companies that are themselves in the security industry. Failure to protect sensitive information puts consumers at risk," said principal deputy assistant attorney general Brian Boynton, who is the head of the US Justice Department's civil division. "We will continue to work with the FTC to hold companies accountable for such violations."