Amazon-owned Ring reached a $5.8 million settlement with the Federal Trade Commission on Wednesday over the company’s alleged failures to protect user data against cyberattacks.
According to a complaint filed on behalf of the FTC in a federal court, approximately 55,000 U.S. customers suffered serious account compromises over a period during which Ring failed to take necessary measures to prevent credential stuffing and brute force attacks. The attacks allowed hackers to try and access consumers’ accounts through a previously breached password or automated, repeated attempts at guessing credentials.
For 910 of the U.S. accounts (or 1,250 devices), attackers were able to not just take over accounts but take additional steps such as accessing a live stream. In at least 20 cases, hackers maintained this access for more than a month.
“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, wrote in a statement. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”
A separate complaint and proposed settlement filed by the Justice Department on behalf of the FTC Wednesday accused Amazon’s Alexa voice assistant of violating the FTC Act and Children’s Online Privacy Protection Act by retaining children’s information without parental permission. Amazon settled that complaint for $25 million.
The FTC’s Ring settlement follows a series of incidents in 2019 in which hackers accessed Ring cameras to harass and stalk owners, including families and children. The complaint notes several examples of these cases, including one when an 87-year-old woman in an assisted living facility was threatened and sexually propositioned.
The FTC complaint alleges that Ring’s security promises to customers would have reasonably led them to believe that the company was taking steps to prevent such attacks. The complaint also notes that Ring failed to limit customers’ video data to employees who needed access, instead of allowing every employee and well as hundreds of contractors to access feeds whether they needed to or not.
“This approach to access meant that Ring’s employees and third-party contractors
had dangerous — and unnecessary — access to highly sensitive data,” the complaint said.
The proposed settlement orders Ring to pay $5.8 million which will go to customer refunds. It also requires Ring to delete any customer videos, face embedding and face data collected prior to 2018 as well as any work products derived from the data. Ring would agree under the order to notify the FTC about future incidents of unauthorized access.
The FTC’s settlement with Alexa would prohibit Amazon from using geolocation, voice information, and children’s voice information for the creation or improvement of any data product.
Both settlements are pending court approval.
The FTC also noted several “unreasonable data security and privacy practices” the company had between 2016 and 2020, including: failing to encrypt customer video at rest, failing to obtain customer consent for reviewing video data for research and failing to provide employees with data security training.
Amazon told lawmakers in a letter in 2020 that it had updated its security practices to encrypt video feeds and “proactively monitory” for credential stuffing.
Amazon said in a statement it disagreed with both the Ring and Alexa complaints and denied violating the law in both cases.
“Our focus has been and remains on delivering products and features our customers love, while upholding our commitment to protect their privacy and security,” an Amazon spokesperson said about the Ring settlement. “Ring promptly addressed these issues on its own years ago, well before the FTC began its inquiry.”
About the Alexa settlement, the company said in an online blog it has applied “rigorous standards” to protect children’s data.
This is the second major swing by the FTC at children’s privacy in recent weeks. Earlier this month the FTC accused Facebook of violating federal children’s privacy law, proposing a settlement that would prohibit the company from profiting off of children’s data. Meta is challenging the complaint.
Updated May 31, 2023: To include statements from the FTC and Amazon.