The U.S. Federal Trade Commission said it will fine a security camera vendor nearly $3 million for exposing customer data.
The FTC said it has agreed to a $2.95 million settlement package with Verkada, which includes acknowledgement that Verkada spammed its own customers with junk email and allowed them to be exposed to unwanted emails.
The plea is the largest settlement yet to be subjected to the CAN-SPAM Act, a law that, as the name suggests, prescribes monetary penalties for subjecting the public to unwanted and unsolicited emails. That, however, is only one piece of a much larger case against the camera vendor.
According to the FTC, Verkada suffered a major lapse in security to the point of being legally liable. The company left its security camera products vulnerable to outside attackers and as a result, a major security incident occurred.
It is alleged that a threat actor was able to view Verkada cameras that were charged with monitoring mental health facilities and women’s health clinics where sensitive footage and patient health data was compromised.
“When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do,” said FTC Consumer Protection Director Samuel Levine.
“Companies that fail to secure and protect consumer data can expect to be held responsible.”
While the exposure of medical data due to gross negligence should be bad enough, the FTC said that Verkada went the extra mile by also fluffing its own reviews.
“The complaint also charged that Verkada was aware that employees and a venture capital investor posted positive ratings and reviews of Verkada and its products but failed to disclose their association or current employment status with Verkada,” the FTC said.
This is not even the first time Verkada was found playing fast and loose with access to supposedly private hardware. Back in 2021, the company was called out by security researchers who found that its cams were easily accessible to third parties.