Security biz Verkada to pay $3M penalty under deal that also enforces infosec upgrade

Physical security biz Verkada has agreed to cough up $2.95 million following an investigation by the US Federal Trade Commission (FTC) – but the payment won’t make good its past security failings, including a blunder that led to CCTV footage being snooped on by miscreants. Instead, the fine is about spam.

You may remember the California outfit from a 2021 security incident that flowed from an admin-level username and password combo for its systems being left online. Hacktivists found those credentials and used them to access CCTV cameras, potentially as many as 150,000, installed in Tesla factories, Cloudflare offices, hospitals, and a prison, among other facilities.

One of the hacktivists involved was arrested by Swiss police, reportedly for unrelated past crimes.

The incident saw US authorities file a complaint against Verkada, alleging numerous security failings within the business itself – including possible Health Insurance Portability and Accountability Act (HIPAA) violations and misrepresentations of other activities. The complaint also alleged Verkada was a spammer.

The FTC has agreed to settle with Verkada over those spamming allegations.

• Hacktivists breach Verkada and view 150,000 CCTV cams in hospitals, prisons, a Tesla factory, even Cloudflare HQ
• Swiss security provocateur who leaked Intel secrets indicted by US authorities
• 'Millions' of spammy emails with no opt-out? That'll cost you $650K, Experian

According to a proposed order [PDF] agreed to the regulator and Verkada, the biz sent promotional emails without the option to unsubscribe, and without a physical address listed – in violation of America's Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act.

That said, the biz will have to step up its security practices – including implementing a proper infosec program for the next 20 years, training staff in best practices at least once a year, implementing multi-factor authentication, and engaging a third party to check its systems.

"When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do," asserted Samuel Levin, director of the FTC's bureau of consumer protection. "Companies that fail to secure and protect consumer data can expect to be held responsible."

Verkada neither admits nor denies any of the allegations in the complaint

For what it's worth, Verkada scored $100 million in its latest venture capital funding round in October 2023 – so it can afford this settlement.

"Verkada neither admits nor denies any of the allegations in the complaint," a spokesperson told The Register. "No civil penalty was imposed related to the security incident, but Verkada has agreed to pay $2.95 million to resolve the FTC's claims about our past email marketing practices."

As for that CCTV snooping, Verkada says a portion of its customers' cameras were spied on rather than all 150,000 or so. The intruder could have viewed all of them but didn't, we're told. "There is no evidence that the hacker accessed more than a subset of the cameras owned by 97 customers," a spokesperson said, "out of approximately 6,000 total customers at the time."

Nevertheless, in canned statements, the feds were pretty clear about what concerned them the most about the case – not even mentioning spam but instead concentrating on security.

"This settlement underscores the importance of robust data security measures, especially for companies that are themselves in the security industry. Failure to protect sensitive information puts consumers at risk," said principal deputy assistant attorney general Brian Boynton, who is the head of the US Justice Department's civil division. "We will continue to work with the FTC to hold companies accountable for such violations." ®

Editor's note: This story was updated September 5 to include further comment from Verkada on the CCTV incident.