Ring, the Amazon-owned maker of video surveillance devices, will pay $5.8 million in consumer refunds and will be prohibited from profiting from unlawfully accessing consumer videos, the US Federal Trade Commission (FTC) has announced.
The FTC charged home security camera company Ring with compromising its customers' privacy by allowing any employee or contractor to access consumers' private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers' accounts, cameras, and videos.
Under a proposed order, which must be approved by a federal court, Ring will be required to delete data products such as data, models, and algorithms derived from videos it unlawfully reviewed.
It also will be required to implement a privacy and security program with novel safeguards on human review of videos as well as other stringent security controls, such as multi-factor authentication for both employee and customer accounts, the US agency said in a statement late on Wednesday.
"Ring's disregard for privacy and security exposed consumers to spying and harassment," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection. "The FTC's order makes clear that putting profit over privacy doesn't pay."
California-based Ring, which was purchased by Amazon in February 2018, sells internet-connected, video-enabled home security cameras, doorbells, and related accessories and services.
In a complaint, the FTC said that Ring deceived its customers by failing to restrict employees' and contractors' access to its customers' videos, using customer videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.
The FTC also said Ring failed to take any steps until January 2018 to adequately notify customers or obtain their consent for extensive human review of customers' private video recordings for various purposes, including training algorithms.
Despite experiencing multiple credential-stuffing attacks in 2017 and 2018, Ring failed to implement common tactics such as multi-factor authentication until 2019.
As a result, hackers continued to exploit account vulnerabilities to access stored videos, live video streams, and account profiles of approximately 55,000 customers, according to the complaint.