Picture being in a doctor’s office, with security cameras for safety, but suddenly feeling like you’re being observed—not by the trained security personnel, but by someone with ill intentions.
This unsettling scenario became a reality when Verkada Inc., a surveillance camera company, failed to provide adequate security for its data, leading to one of the most invasive security breaches in recent memory. The Department of Justice, notified by the Federal Trade Commission (FTC), revealed that Verkada’s vulnerabilities allowed a hacker to access 150,000 live camera feeds from sensitive areas such as psychiatric hospitals, women’s health clinics, elementary schools, and even prison cells.
In March 2021, a hacker was able to remotely access Verkada’s customer camera feeds, watching people in real-time without their knowledge or consent. Even more shocking, Verkada was entirely unaware of the breach until the hacker self-reported the intrusion to the media. This breach went beyond “live” camera feeds; the hacker also exfiltrated sensitive information about Verkada’s customers, including names, email addresses, physical addresses, and even geolocation data tied to cameras.
Given the vast number of organizations using Verkada’s services—from schools and healthcare providers to government agencies and hospitality businesses—many of us have likely been captured on one of their cameras without even realizing it.
Verkada’s failure to secure its systems starkly contrasts with the company’s manifest assurances of data safety. The company’s privacy policy claimed they used “best-in-class” security tools to protect customer data, even stating they were HIPAA-certified and compliant with Privacy Shield principles. However, the FTC’s complaint alleges that these promises were deceptive. Verkada’s internal security failures to provide reasonable and appropriate security, such as not implementing complex passwords or monitoring for unauthorized access attempts, contributed to the breach.
Moreover, the complaint revealed other deceptive practices: Verkada employees had posted fake five-star reviews about the company’s products, and its marketing emails violated the CAN-SPAM Act by not honoring unsubscribe requests or including proper opt-out notices. The company had sent over 22 million marketing emails, many of which failed to meet legal standards.
FTC Settlement: The Consequences for Verkada
In response to its deceptive marketing practices and security failures, Verkada faced significant legal repercussions. The FTC imposed a $2.95 million civil penalty for CAN-SPAM violations, alongside requirements for the company to implement a comprehensive security program. This program includes encryption, multi-factor authentication, and regular audits. The company is also barred from deceptive marketing practices, such as fake reviews and false claims about security standards.
While showcasing the FTC’s impressive regulatory arsenal, the case against Verkada also offers important lessons for any business that collects and handles personal data. Here are three critical actions you can take to strengthen your company’s security and marketing practices:
The Verkada breach serves as a cautionary tale for businesses across industries. Whether you’re managing a small business or a large organization, maintaining rationale and appropriate data security is a crucial responsibility that cannot be overlooked. As the FTC demonstrated, companies that fail to protect customer data and engage in deceptive marketing will face severe consequences. By proactively addressing potential weaknesses and ensuring transparency in your practices, you can avoid the pitfalls that led to Verkada’s downfall—and protect both your customers and your company.
Is your company prepared to prevent a similar security breach? Now is the time to evaluate and reinforce your data protection practices before it’s too late.