D.C. Party to First Cybersecurity Failure Settlement (Cisco Video Surveillance Manager)

The Washington D.C. Police Department and 19 state entities were using Cisco’s Video Surveillance Manager during the time the known vulnerability went unpatched.

2019-08-Letitia-James_Twitter-892019.jpg

The District of Columbia, along with 19 states led by their attorney generals, will share in an $8.6 million settlement related to a cybersecurity failure in Cisco Video Surveillance Manager, a video security technology product sold to governments and agencies from 2008 - 2014, according to the company’s blog.

In a prepared statement, New York State Attorney General Letitia James, who led the multi-state lawsuit and is shown above, said:

Cisco’s failure to keep their software safe could have endangered the safety of New Yorkers across our state. We are holding the company accountable and will ensure that software manufacturers dealing with our state not only have the most secure software possible, but diligently report and repair any flaws they learn about. This is about our security, privacy, and protection.”
Cities & Counties Were Using the Video Surveillance System

Cisco’s Video Surveillance Manager was used on the local level to provide security and other services. The company posted the Washington D.C. Metro Police Department implementation as a product case study on its website. The system was used in places like the Los Angeles International Airport, the New York City public transit system and by San Joaquin County, Amtrak and various U.S. military branches.

The company indicated yesterday on its blog that essentially, government clients’ standards have evolved since the product was developed, and that’s why they settled with a pay out:

“Evaluating these facts today, we’ve now agreed to make a payment that includes, what is in effect, a partial refund to the US federal government and 16 states for products purchased between Cisco’s fiscal years 2008 and 2013. The payment settles litigation that had originally been brought in 2011. The total sales at issue were well under one one-hundredth of one percent of Cisco’s total sales, and our total payment was $8.6 million, which includes payment of approximately $1.6 million to the individual who brought this to the attention of the government. While this is a legacy issue which no longer exists, it matters to us to recognize that times and expectations have changed,” wrote Cisco’s general counsel, Mark Chandler, executive vice president and chief legal officer.

Whistleblower Gets a Share

Whistleblower James Glenn was a subcontractor in Denmark when he discovered that he could hack into and control Cisco’s video software and surveillance system without being detected, his legal firm Constantine Cannon told the New York Times.

“There’s this culture that tends to prioritize profit and reputation over doing what’s right,” Glenn said in a written statement. “I hope coming forward with my experience causes others in the tech community to think about their ethical mandate,” wrote Glenn, who Cisco said will pay $1.6 million to as part of the settlement.

Glenn reported the flaw to Cisco. Several months after he was laid off, in June 2010, he discovered the vulnerability remained and he could still hack into and control a video surveillance system. The company continued to sell the system and did not advise affected customers of a patch until 2013.

With the settlement, Cisco reported the company is focused on the evolving needs of stakeholders.

We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product,” said Cisco spokeswoman Robyn Blum. “There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture,” according to Reuters.

Andrea Fox is Editor of Gov1.com and Senior Editor at Lexipol. She is based in Massachusetts.