Cisco Pays $8.6 Million Settlement Over Software With Vulnerabilities Sold To Governments

Herbstlaub-virus-screenshot

Cisco has agreed to pay an $8.6 million settlement with the government over video surveillance software it sold to governments throughout the US that contained security vulnerabilities. The software contained flaws that would have permitted unauthorized system access.

The software was created by Broadware, a company Cisco bought in 2007 for its surveillance video technology and went by the name Video Surveillance Manager when it was added to the Cisco platform.

A coalition of states, including North Carolina, began investigating Cisco after a former Cisco employee came forward as a whistleblower and filed an action under the federal False Claims Act and state whistleblower acts. The whistleblower alleged that in 2009, Cisco had discovered security flaws in its software sold to the states and the federal government that was designed to control security camera systems. The flaws would permit unauthorized access to the system, with the potential to control and otherwise manipulate security cameras and the recorded footage.

Cisco said in its filing that the vulnerabilities were based on the software’s open architecture which could have theoretically allowed for unauthorized access. Cisco is alleged to have fired the employee that filed the report.

Cisco failed to report or remedy these flaws until 2013, after the investigation had begun. The joint investigation uncovered no evidence that a hack or any unauthorized access of security surveillance systems ever took place, and the software has been discontinued.

States included in the settlement were: New York, California, Delaware, Florida, Hawaii, Illinois, Indiana, Massachusetts, Minnesota, Montana, Nevada, New Hampshire, New Jersey, New Mexico, Rhode Island, Tennessee, Virginia, and the District of Columbia.

Cisco will also pay civil damages to Homeland Security, the Secret Service, all four branches of the military, and the Federal Emergency Management Agency.

The full settlement is available here.