Ring, the video surveillance device manufacturer owned by Amazon, has agreed to pay $5.8 million to resolve claims brought by the Federal Trade Commission (FTC) over the unauthorized access of customer videos by Ring employees and contractors. The settlement was filed in the U.S. District Court for the District of Columbia and confirmed by the FTC. Reuters first reported the news of the settlement.
The FTC accused Ring of granting its employees and contractors broad and unrestricted access to customers’ sensitive video data for years, leading to “dangerously overbroad access and lax attitude toward privacy and security.”
According to the FTC’s complaint, Ring provided every employee and numerous third-party contractors in Ukraine with full access to all customer videos, regardless of whether it was necessary for their job functions. Furthermore, Ring staff and contractors had the ability to download and freely view, share, or disclose any customer’s videos.
The FTC also alleged that Ring employees improperly accessed private videos of women on at least two occasions, with one instance of spying going undetected for months.
In response to the breach, Ring plans to notify affected customers, stating that the individuals involved no longer work for the company.
The FTC’s complaint further noted that Ring failed to address multiple reports of credential stuffing, a technique used by hackers to gain unauthorized access to accounts using stolen user credentials from previous data breaches. Ring’s lax security practices, including allowing easily guessable passwords like “password” and “12345678,” facilitated account hacks. As a result, over 55,000 U.S. customers experienced compromised accounts between January 2019 and March 2020, with some hackers retaining access for over a month.
To enhance data security, Ring implemented mandatory two-factor authentication for users in February 2020. Additionally, in 2021, the company introduced end-to-end encryption, enabling users to encrypt their doorbell videos and restrict access to anyone other than themselves.
In addition to the monetary settlement, Ring agreed to establish and maintain a comprehensive data security program, including regular assessments, for the next 20 years. The company will also disclose the level of access its employees and contractors have to customer data.
