Cisco Systems has agreed to pay $8.6 million to settle a lawsuit that accused the company of knowingly selling video surveillance system containing severe security vulnerabilities to the U.S. federal and state government agencies.
It’s believed to be the first payout on a ‘False Claims Act‘ case over failure to meet cybersecurity standards.
The lawsuit began eight years ago, in the year 2011, when Cisco subcontractor turned whistleblower, James Glenn, accused Cisco of continue selling a video surveillance technology to federal agencies even after knowing that the software was vulnerable to multiple security flaws.
According to the court documents, Glenn and one of his colleagues discovered multiple vulnerabilities in Cisco Video Surveillance Manager (VSM) suite in September 2008 and tried to report them to the company in October 2008.
The vulnerabilities could have reportedly enabled remote hackers to gain unauthorized access to the video surveillance system permanently, eventually allowing them to gain access to all video feeds, all stored data on the system, modify or delete video feeds, and bypass security measures.
Apparently, Net Design, the Cisco contractor where Glenn was working at that time, fired him shortly after he reported Cisco’s security violations, which the company officially described as a cost-cutting measure.
However, in 2010, when Glenn realized that Cisco never fixed those issues neither notified its customers, he informed the U.S. federal agency, who then launched a lawsuit claiming Cisco had defrauded U.S. federal, state and local governments who purchased the product.
Cisco, directly and indirectly, sold its Video Surveillance Manager software suit to police departments, schools, courts, municipal offices and airports as we as to many government agencies including the U.S. Department of Homeland Security, the Secret Service, the Navy, the Army, the Air Force, the Marine Corps and the Federal Emergency Management Agency (FEMA).
“Cisco has known of these critical security flaws for at least two and a half years; it has failed to notify the government entities that have purchased and continue to use Video Surveillance Manager of the vulnerability,” the lawsuit states.
“Thus, for example, an unauthorized user could effectively shut down an entire airport by taking control of all security cameras and turning them off. Alternately, such a hacker could access the video archives of a large entity to obscure or eliminate video evidence of theft or espionage.”
After the lawsuit was filed, the company acknowledged the vulnerabilities (CVE-2013-3429, CVE-2013-3430, CVE-2013-3431) and released an updated version of its Video Surveillance Manager software suit.
As part of the lawsuit, Cisco has finally agreed to pay $8.6 million in the settlement—of which Glenn and his lawyers will receive $1.6 million and the rest $7 million going to the federal government and the 16 states that purchased the affected product.
In response to the latest settlement, Cisco issued an official statement Wednesday saying it was “pleased to have resolved” the 2011 dispute and that “there was no allegation or evidence that any unauthorized access to customers’ video occurred” as a result of its Video Surveillance Manager suit’s architecture.
However, the company added that video feeds could “theoretically have been subject to hacking,” though the lawsuit has not claimed that anyone had exploited the vulnerabilities discovered by Glenn.