Cisco Settles Video Surveillance Software Vulnerability Lawsuit For $8.6M

Cisco says in a blog post about the settlement that evolving security standards triggered the need for the company to acknowledge and reimburse customers for the flawed video surveillance software.

Cisco Systems has agreed to pay $8.6 million to settle a lawsuit that alleges the tech giant sold video security software with known security vulnerabilities to U.S. federal and state governments.

The litigation, originally brought in 2011, was filed under the False Claims Act and alleged that one of Cisco's legacy software lines, Cisco Video Surveillance Manager, did not meet its own cybersecurity standards. The individual who originally alerted the government to the software’s issues worked for NetDesign, a Denmark-based Cisco partner.

NetDesign is a privately held firm that builds and manages customizable IP communications, networking and security solutions for customers. Through his legal counsel, Glenn said he had been working on a video surveillance project with the Danish police when he discovered a vulnerability that could allow a hacker to first compromise the video LAN and then easily gain access to other parts of a businesses' network.

[Related: The 13 Biggest Data Breaches of 2019 (So Far)]

Cisco, for its part, said that evolving security standards triggered the need for the company to acknowledge and reimburse customers for the flawed video surveillance software, according to Mark Chandler, Cisco's executive vice president and chief legal officer, in a blog post published by the San Jose, Calif.-based tech giant Wednesday.

"Evaluating these facts today, we’ve now agreed to make a payment that includes, what is in effect, a partial refund to the U.S. federal government and [certain] states. … While this is a legacy issue which no longer exists, it matters to us to recognize that times and expectations have changed," Chandler wrote.

The software caught in the middle of the lawsuit was created by Broadware, a company that Cisco acquired in 2007. According the blog post, Broadware at the time intentionally built its products using an open architecture, which allowed for the creation of customized security applications. But that same open architecture could have allowed for video feeds to be compromised, Chandler wrote.

John Barker, co-founder and CEO of Versatile Communications, a Marlborough, Mass.-based Cisco partner, sells video surveillance solutions from the vendor and remains confident in Cisco's security pedigree and response to current threats. However, Versatile also maintains a healthy skepticism of security around cloud-based solutions.

"From our perspective, we are in this cloud-based world and in recent years there's been a lot more attention paid to quality and security," he said. "Still, we're really careful about upgrades and we don't recommend our customers to roll anything out until a period of time has passed so [vendors] can address things like security issues or other things that may have broken."

That the software originated from a Cisco acquisition could mean that the technology was following different security standards than Cisco had in place at the time, Barker said.

"Keeping track of all their product lines can be hard, especially for some of the big players. I think whether a product was developed in their own lab or comes from an acquisition can make a difference when it comes to security protocols," he said.

Via the terms of the settlement, Cisco will pay $2.6 million to the federal government and up to $6 million to 15 states, the District of Columbia, and certain cities, counties and political subdivisions. The states included in the settlement are California, Delaware, Florida, Hawaii, Illinois, Indiana, Minnesota, Nevada, New Jersey, New Mexico, New York, North Carolina, Tennessee, Massachusetts and Virginia.

The settlement also includes a payment of about $1.6 million to Glenn, who said in the suit that he contacted Cisco about the potential flaws within Video Surveillance Manager in 2008, but that Cisco failed to respond and continued to sell the cameras and software. Through his attorney, Glenn said he was fired in 2009 at Cisco's behest after he submitted a detailed report to Cisco on the vulnerability.

Cisco said that there is no evidence that any customer using the video surveillance products was ever breached. The company issued an update to address security for the software in 2013, and in 2014 discontinued sales of older versions of Cisco Video Surveillance Manager.