FTC: Security failings at Amazon’s Ring let hackers, employees access customer videos

The Federal Trade Commission on Wednesday accused Amazon’s Ring unit of failing to implement “basic” privacy and cybersecurity measures, which allowed hackers to take control of users’ cameras and gave employees and contractors the ability to access private videos — including thousands of recordings from female users’ bathrooms and bedrooms.

The FTC detailed the charges in a complaint filed with the U.S. District Court for the District of Columbia, arguing that the maker of internet-connected home security cameras and doorbells deceived customers by failing to restrict access to videos and failing to stop credential stuffing and brute force attacks despite warnings from employees and security researchers.

Under a proposed order, which was also filed on Wednesday, Ring agreed to resolve the charges by paying $5.8 million in consumer refunds, as well as implement a new privacy and security program and delete data derived from the videos it unlawfully reviewed. As part of the order, which must be approved by a federal court before it can go into effect, Ring neither admits nor denies the allegations in the complaint.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

The FTC called Ring’s actions “egregious violations of users’ privacy,” highlighting an example where one employee viewed thousands of video recordings from cameras in female users’ bathrooms and bedrooms. That incident, which lasted several months, only stopped after another employee discovered the misconduct, the FTC said.

Furthermore, “even after Ring imposed restrictions on who could access customers’ videos, the company wasn’t able to determine how many other employees inappropriately accessed private videos because Ring failed to implement basic measures to monitor and detect employees’ video access.”

The FTC also accused the company of failing to implement basic cybersecurity measures such as multifactor authentication until 2019, even though the company experienced multiple credential stuffing attacks in 2017 and 2018. “Even then, Ring’s sloppy implementation of the additional security measures hampered their effectiveness,” the FTC said.

Hackers were able to exploit the security weaknesses to access videos and other information from about 55,000 U.S. accounts, and went so far as to harass and threaten customers, including children and elderly individuals. “Hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom,” the FTC said.

“Ring promptly addressed these issues on its own years ago, well before the FTC began its inquiry,” a Ring spokesperson said in a statement. “While we disagree with the FTC’s allegations and deny violating the law, this settlement resolves this matter so we can focus on innovating on behalf of our customers.”

Amazon to pay more than $30 million

Amazon, which acquired Ring in 2018, also reached a separate settlement with the FTC on Wednesday over accusations that it violated children’s privacy rights by failing to delete Alexa recordings at the request of parents.

The company, which will pay a $25 million fine, allegedly violated the Children’s Online Privacy Protection Act (COPPA), which has seen an uptick in enforcement actions targeting tech firms such as Fortnite-maker Epic Games.

“While we disagree with the FTC’s claims and deny violating the law, this settlement puts the matter behind us, and we believe it’s important to put the settlement in the right context,” Amazon said in a statement. The company added that it designed its products with the COPPA in mind, and “applied rigorous standards” when expanding its Amazon Kids service to include Alexa.