In March 2021, a hacking group known as APT-69420 Arson Cats exploited a vulnerability in Verkada’s customer support server
The Federal Trade Commission (FTC) has proposed a $2.95 million penalty on Verkada, a security camera vendor, for several security failures that left its internet-connected cameras vulnerable to hackers. These breaches enabled unauthorized access to live video feeds from approximately 150,000 cameras installed in sensitive locations, including women’s health clinics, psychiatric hospitals, prisons, and schools.
According to the FTC, Verkada failed to implement basic security protocols to safeguard its products, allowing hackers to gain access. The FTC further alleges that Verkada misrepresented the security features of its cameras to customers, making baseless claims about the safety of their products. Investors were also involved in submitting exaggerated reviews, adding to the company’s misleading marketing practices. Additionally, Verkada violated the CAN-SPAM Act by sending promotional emails to potential customers without offering them an option to opt out.
In March 2021, a hacking group known as APT-69420 Arson Cats exploited a vulnerability in Verkada’s customer support server. This breach allowed the hackers to gain admin-level access to the company’s Command platform, which controls access to the live feeds of 150,000 cameras. The hackers extracted several gigabytes of sensitive video footage, screenshots, and customer information. Verkada acknowledged that hackers accessed video data from 97 customers during the breach, which accounted for less than 2% of its customer base. However, the hackers were able to roam the company’s internal systems for several hours without being detected or stopped. Eventually, they reported the breach to the media themselves and released video footage as evidence of the hack.
This was not the first time Verkada’s security was compromised. In December 2020, a hacker exploited a vulnerability in one of the company’s legacy servers and used it to launch a denial-of-service (DoS) attack. Verkada was unaware of the breach until two weeks later when Amazon Web Services (AWS) flagged suspicious activity on the compromised server.
The FTC accuses Verkada of falsely claiming that it employed “best-in-class data security tools and best practices” to protect customer data. The company failed to implement basic security measures, such as enforcing complex passwords, encrypting customer data at rest, and securing its network. The FTC also pointed out that Verkada’s claims of compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the EU-U.S. Privacy Shield frameworks were deceptive. These false assurances misled customers into believing their data was more secure than it was.
As part of the settlement, Verkada must not only pay the $2.95 million civil penalty but also implement a comprehensive security program. This program will involve regular security assessments by both Verkada’s IT team and independent third parties, as well as improved safeguards and employee training in data security. By imposing this penalty, the FTC aims to ensure that Verkada complies with security standards in the future and prevents similar breaches from happening again.
