Verkada, a California-based surveillance camera company, has agreed to a proposed settlement with the Federal Trade Commission (FTC) over allegations of security failures that allowed hackers to access footage from over 150,000 internet-connected cameras in 2021. The FTC stated that Verkada failed to implement appropriate security practices to protect consumers’ personal information.
As part of the settlement, Verkada will pay a $2.95 million fine, the largest penalty of its kind, to settle allegations that the company inundated prospective customers with commercial emails. However, Verkada maintains that it disagrees with the FTC’s allegations.
The Department of Justice (DOJ) also filed a complaint against Verkada, citing the company’s security failures that led to a hacker gaining access to security cameras in sensitive areas, including psychiatric hospitals, women’s health clinics, elementary schools, and prison cells. It was revealed that Verkada was unaware of the breach until the hacker self-reported it to the media in March 2021.
In addition to the security breaches, the complaint alleged that Verkada misled consumers by not disclosing that certain online consumer ratings and reviews of its products were written by its employees and a venture capital investor. The FTC found that a venture capitalist of Verkada posted a five-star rating and positive review about the company’s products on Google Maps, further questioning the company’s transparency.
Furthermore, Verkada was accused of violating the CAN-SPAM Act of 2003 by sending over 30 million commercial email messages to customers between 2019 and 2022. Customers complained about Verkada’s persistent emails, claiming that they were unable to unsubscribe despite their efforts to notify the company.
To address these allegations and prevent future security breaches, the FTC has ordered Verkada to implement a comprehensive information security program with third-party audits. Verkada is also prohibited from misrepresenting its data security practices and violating the CAN-SPAM Act.
Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, emphasized the importance of companies providing basic levels of security when consumers trust them with their personal information. He stated, “Companies that fail to secure and protect consumer data can expect to be held responsible.”
Verkada, on the other hand, denies the allegations made by the FTC. The company clarified that the $2.95 million payment is related to the FTC’s claims about their past email marketing practices and not related to the security incident. Verkada claimed that it has accepted the terms of the settlement to move forward with its mission of protecting people and places in a privacy-sensitive way.
Verkada boasts a significant presence, with over 26,000 organizations across 85 countries using its services and employing over 2,000 individuals. Despite the settlement, the company aims to regain trust and focus on its core mission of providing secure surveillance solutions.
