FTC Cracks Down on Verkada: $2.95 Million Fine and Security Overhaul

The U.S. Federal Trade Commission (FTC) has mandated that Verkada, a company specializing in surveillance cameras, develop and implement a comprehensive information security program. This decision was made following revelations that the company failed to provide adequate security measures, leading to a data breach and unauthorized hacker access to customer cameras.

As part of the proposed settlement, which still requires approval from a federal judge, Verkada must also pay a $2.95 million fine for violating the CAN-SPAM Act. This penalty represents the largest fine ever imposed by the FTC for non-compliance with this law.

According to a complaint filed by the U.S. Department of Justice at the behest of the FTC, Verkada did not ensure proper protection of consumers’ personal information. As a result, a hacker gained access to internet-connected surveillance cameras and was able to view footage from psychiatric hospitals and women’s clinics.

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, remarked, “When customers entrust companies with monitoring their private spaces through surveillance cameras and other products, they expect basic levels of security, which Verkada failed to provide. Companies that do not protect consumer data must be prepared to face accountability.”

Verkada sells IP surveillance cameras and other physical security solutions to thousands of clients in the U.S. and abroad. In its privacy policy, the company claimed to take data security and customer privacy seriously, utilizing “best-in-class tools and data protection methods.”

However, according to the FTC, the company failed to implement adequate security measures to protect personal information, including surveillance camera footage and customer account data. For example, Verkada did not require unique and complex passwords, did not properly encrypt customer data, and did not implement secure network management tools.

As a result of these security deficiencies, the company experienced at least two breaches between December 2020 and March 2021. During the March 2021 breach, a hacker accessed video footage from over 150,000 Verkada cameras, as well as other customer information.

Additionally, the company is accused of violating the CAN-SPAM Act in several ways. According to the complaint, Verkada actively conducted commercial email campaigns to promote its products, sending more than 30 million commercial emails over a three-year period. Verkada’s commercial emails violated the CAN-SPAM Act in four ways, including disregarding recipients’ requests to unsubscribe from the mailing list.

In addition to the fine, the proposed court order will prohibit the company from making false claims about Verkada’s data privacy and security practices. The company will also be required to implement a comprehensive information security program, subject to audits by third parties.