Cisco agreed to pay $8.6 million to settle a lawsuit accusing the company of intentionally selling a hackable video surveillance system to federal and state agencies.
The lawsuit began eight years ago, in 2011, when Cisco contractor James Glenn accused the company of continuing to sell video surveillance technology to federal agencies, even after learning that the program was vulnerable to multiple security breaches.
According to court documents, James and a colleague discovered multiple weaknesses in Cisco’s group of video surveillance managers in September 2008 and attempted to inform the company in October 2008.
Cisco’s Video Monitoring Manager group allows customers to manage multiple video cameras in different physical locations via a central server, which in turn is remotely accessible.
Vulnerabilities may have allowed remote hackers to have permanent access to the video surveillance system, possibly allowing them to access all videos, all data stored on the system, by modifying or deleting videos and bypassing security measures.
James informed the FBI of Cisco’s security breaches when he realized in 2010 that the company had never solved these problems and had not alerted its customers.
The U.S. federal agency filed a lawsuit alleging that Cisco had defrauded the federal, state and local governments that purchased the product.
The company sold, directly and indirectly, Cisco’s group of video surveillance managers to police departments, schools, courts, municipal offices, and airports.
In addition, the product has been sold to several government agencies, such as the Department of Homeland Security; the Secret Service; the Navy; the Army; the Air Force; the Marine Corps; and the Federal Emergency Management Agency (FEMA).
“Cisco has been aware of these serious security breaches for at least two and a half years, and has not alerted government entities that have continued to use the hackable system,” the suit says.
In 2013, the company acknowledged its weaknesses, following the continuation in 2011, and released an updated version of the video surveillance director group.