Technology

FTC reaches $5.8 million settlement with Amazon Ring over lax safety

4 months ago 2 min read

Amazon-owned Ring reached a $5.8 million settlement with the Federal Commerce Fee on Wednesday over the corporate’s alleged failures to guard person information towards cyberattacks.

In accordance with a court docket grievance filed on behalf of the FTC in a Washington court docket, roughly 55,000 U.S. clients suffered severe account compromises over a interval throughout which Ring did not take crucial measures to forestall credential stuffing and brute drive assaults. The assaults allowed hackers to attempt to entry customers’ accounts by way of a beforehand breached password or automated, repeated makes an attempt at guessing credentials.

For 910 of the U.S. accounts (or 1,250 units), attackers have been capable of not simply take over accounts however take extra steps akin to accessing a stay stream. In at the very least 20 instances, hackers maintained this entry for greater than a month.

The FTC settlement follows a collection of incidents in 2019 by which hackers accessed Ring cameras to harass and stalk homeowners, together with households and youngsters. The grievance notes a number of examples of those instances, together with one when an 87-year-old lady in an assisted dwelling facility was threatened and sexually propositioned.

The FTC grievance alleges that Ring’s safety guarantees to clients would have fairly led them to imagine that the corporate was taking steps to forestall such assaults. The grievance additionally notes that Ring did not restrict clients’ video information to staff who wanted entry, as a substitute of permitting each worker and properly as a whole lot of contractors to entry feeds whether or not they wanted to or not.

“This method to entry meant that Ring’s staff and third-party contractors
had harmful — and pointless — entry to extremely delicate information,” the grievance stated.

The FTC additionally famous a number of “unreasonable information safety and privateness practices” the corporate had between 2016 and 2020, together with: failing to encrypt buyer video a relaxation, failing to acquire buyer consent for reviewing video information for analysis and failing to supply staff with information safety coaching.

Amazon advised lawmakers in a letter in 2020 that it had up to date its safety practices to encrypt video feeds and “proactively monitory” for credential stuffing.

CyberScoop has reached out to Ring for remark.