Ring, the maker of video surveillance equipment owned by Amazon, will pay $5.8 million for Federal Trade Commission claims that Ring employees and contractors had broad and unrestricted access to customer videos for years.
The settlement was filed in U.S. District Court for the District of Columbia on Wednesday. The FTC confirmed the settlement a short time later. The news of the settlement was reported first by Reuters.
The FTC said Ring employees and contractors were able to view, download and transfer sensitive customer video data for their own purposes due to “dangerous, over-broad access and lax attitudes to privacy and security.”
According to the complaint from the FTC, Ring “gave every employee — as well as hundreds of Ukraine-based third-party contractors — full access to every customer video, regardless of whether the employee or contractor really needed that access to perform his or her job.” The FTC also said that Ring employees and contractors “can also easily download customer videos and then view, share, or disclose those videos as they see fit.”
The FTC alleged that Ring employees improperly accessed women’s private Ring videos on at least two occasions. In one case, the FTC said the employee spying went on for months, unnoticed by Ring.
According to a draft notification of the notification Ring plans to send affected customers, the individuals are no longer employed by Ring.
The government’s complaint also said that Ring did not respond to multiple reports of credential stuffing – where hackers use stolen user credentials from a data breach to break into accounts with the same credentials on other sites. The FTC said Ring allowed the use of easy-to-guess passwords — as simple as “password” and “12345678” — making brute force accounts easier, and that Ring had not previously acted to prevent account hacks.
The FTC claims that between January 2019 and March 2020, more than 55,000 U.S. customers had their accounts compromised as a result. In more than a dozen cases, hackers kept access to hacked accounts for more than a month.
Ring then made two-factor authentication mandatory for users in February 2020. Ring introduced end-to-end encryption in 2021, allowing users to encrypt their doorbell videos from anyone other than themselves, including Ring.
In addition to paying $5.8 million to settle the FTC’s allegations, Ring also agreed to establish and maintain a data protection program with regular reviews for the next 20 years, and to disclose which access its employees and contractors to customer data.
Ring spokesperson Emma Daniels said in an emailed statement to TechCrunch that Ring disagreed with the FTC’s allegations and denied violating the law.
