Ring, the Amazon-owned maker of video surveillance devices, will pay $5.8 million over claims brought by the Federal Trade Commission that Ring employees and contractors had broad and unrestricted access to customers’ videos for years.
The settlement was filed in the U.S. District Court for the District of Columbia on Wednesday. The FTC confirmed the settlement a short time later. News of the settlement was first reported by Reuters.
The FTC said that Ring employees and contractors were able to view, download, and transfer customers’ sensitive video data for their own purposes as a result of “dangerously overbroad access and lax attitude toward privacy and security.”
According to the FTC’s complaint, Ring gave “every employee — as well as hundreds of Ukraine-based third-party contractors — full access to every customer video, regardless of whether the employee or contractor actually needed that access to perform his or her job function.” The FTC also said that Ring staff and contractors “could also readily download any customer’s videos and then view, share, or disclose those videos at will.”
The FTC alleged on at least two occasions Ring employees improperly accessed the private Ring videos of women. In one of the cases, the FTC said the employee’s spying went on for months, undetected by Ring.
According to a draft notice of the notification Ring plans to send affected customers, the individuals are no longer employed by Ring.
The government’s complaint also said that Ring failed to respond to multiple reports of credential stuffing — where hackers use stolen user credentials from one data breach to break into the accounts using the same credentials on other sites. The FTC said Ring allowed the use of easily guessable passwords — as simple as “password” and “12345678” — which made brute-forcing accounts easier, and that Ring failed to act sooner to prevent account hacks.
The FTC claims more than 55,000 U.S. customers had their accounts compromised between January 2019 and March 2020 as a result. In more than a dozen cases, hackers maintained access to hacked accounts for more than a month.
Ring subsequently made two-factor authentication mandatory for users in February 2020. Ring introduced end-to-end encryption in 2021, allowing users to encrypt their doorbell videos from anyone other than themselves — including Ring.
Along with paying $5.8 million to settle the FTC’s allegations, Ring also agreed to establish and maintain a data security program with regular assessments for the next 20 years, as well as disclosing what access its employees and contractors have to customer data.
Ring spokesperson Emma Daniels said in an emailed statement to that Ring disagreed with the FTC’s allegations and denied violating the law.