Amazon agreed to pay a $5.8 million settlement after the Federal Trade Commission found it was illegally spying on customers and failed to stop hackers from taking control of users’ Ring cameras.
An FTC investigation(Opens in a new window) concluded that Ring, which Amazon acquired in 2018, had compromised the privacy of its customers “by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections.”
Ring’s violation of user privacy occurred on multiple fronts. Ring users were likely unaware that the company had been using their videos for “product improvement and development” because Ring buried that information in the Terms of Service and Privacy Policy. It meant customer videos were used to train algorithms, but were also being viewed by Ring employees and contractors.
The FTC found that one Ring employee had viewed thousands of videos of female customers in their bedrooms and bathrooms over several months. The employee in question was only stopped when another employee discovered what they had been doing. Ring was unable to determine if any other employees had been violating the privacy of users in the same way because the company did not monitor employee access to videos.
Further privacy violations occurred due to a lack of security. The FTC found that hackers used a combination of credential stuffing and brute force attacks to gain access to customer accounts. Essentially, a hacker used credentials leaked in other security breaches to discover the password on Ring accounts by using an automated password-guessing system. Ring did not have multi-factor authentication implemented until 2019, and even then, the “sloppy implementation of the additional security measures hampered their effectiveness.”
Recommended by Our Editors
In total, some 55,000 Ring customers in the US had their accounts compromised and their videos viewed by hackers. However, in some cases the “bad actors” would harass, threaten, and insult customers, which included both children and elderly individuals. The FTC said, “hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom.”
Amazon must now implement a mandated privacy and security program for Ring, which requires the company to delete all customer data (obtained prior to 2018), models, and algorithms derived from any video footage it unlawfully reviewed. The FTC also stipulated that “novel safeguards on human review of videos” are required going forward, as are multi-factor authentication for both customers and employee accounts. The $5.8 million Amazon is paying will be used for customer refunds.
Readers’ Choice 2021: Home Security
Get Our Best Stories!
Sign up for What’s New Now to get our top stories delivered to your inbox every morning.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0
