Cisco will pay $8.6 million to settle claims it knowingly sold video surveillance software that contained security flaws to the US government and military agencies.
The software package, called Video Surveillance Manager, was sold about a decade ago to the Department of Homeland Security, Secret Service, the US Army, and numerous other federal, state, and local government departments, according to a 2011 court complaint, which was unsealed on Wednesday.
Cisco's product was designed for use in airports, government buildings, and military bases, among others. But according to the complaint, the system was also rife with security vulnerabilities that risked compromising other computers connected to it. If exploited, the flaws could let a hacker break into a government agency's network and steal data without detection.
In 2008, an employee at a company distribution partner in Denmark, James Glenn, discovered the flaws, and submitted reports to Cisco, warning of the danger. The complaint claims Cisco was aware of the reports, but decided to sell the unpatched software anyway.
Glenn then decided to take Cisco to court through the federal False Claims Act, which permits someone to report fraud and misconduct involving federal government contracts, and win a financial reward. As part of his claim, 15 states joined his lawsuit against the company.
Cisco is downplaying the threat the software posed. "There was no allegation or evidence that any unauthorized access to customers' video occurred as a result of the architecture," the company said in a statement.
In a blog post, Cisco added that the technology involved came from Broadware, which it acquired in 2007 and favored using an "open architecture" on its security products. "In 2009, we published a Best Practices Guide emphasizing that users needed to pay special attention to building necessary security features on top of the software they were licensing from us. And in July 2013 we advised that customers should upgrade to a new version of the software which addressed security features. All sales of the older versions of the software had ended by September 2014," the company said.
Nevertheless, Cisco agreed to the $8.6 million settlement, calling it a "partial refund" to the US federal government and the 16 states that purchased the affected products.
Recommended by Our Editors
Although the settlement is relatively small for Cisco, a company that rakes in billions each year, it's the first time a cybersecurity case has resulted in a successful payout under the False Claims Act, according to Glenn's attorneys. This could spark others to file similar lawsuits against tech suppliers to the US government over past data breaches or security bugs.
"The tech industry needs to fulfill its professional responsibility to protect the public from their products and services," Glenn said in a statement. "There's this culture that tends to prioritize profit and reputation over doing what's right. I hope coming forward with my experience causes others in the tech community to think about their ethical mandate."
What Is Two-Factor Authentication?
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
