FTC Orders Amazon’s Ring to Pay $5.8M Settlement Following Unauthorized Access to Customer Videos by Staff and Contractors

Ring, the surveillance device manufacturer owned by Amazon, has reached a settlement with the Federal Trade Commission (FTC) and will pay $5.8 million in response to accusations of unauthorized access to customers’ videos by Ring employees and contractors. The settlement, which was filed in the U.S. District Court for the District of Columbia on Wednesday, has been confirmed by the FTC. Reuters first reported the news of the settlement.

According to the FTC, Ring employees and contractors had unrestricted access to customers’ sensitive video data for an extended period. This access allowed them to view, download, and transfer the videos for their personal purposes, reflecting a “dangerously overbroad access and lax attitude toward privacy and security.”

The complaint filed by the FTC states that every Ring employee, along with numerous third-party contractors based in Ukraine, had full access to all customer videos, regardless of whether it was necessary for their job responsibilities. Additionally, Ring staff and contractors could easily download any customer’s videos and freely view, share, or disclose them.

The FTC alleged that there were at least two instances where Ring employees improperly accessed private videos of women, with one incident going unnoticed for several months.

Ring, in a draft notice to be sent to affected customers, stated that the individuals responsible for the privacy breaches are no longer employed by the company.

Furthermore, the FTC’s complaint highlighted Ring’s failure to address multiple reports of credential stuffing, a method where hackers exploit stolen user credentials from one data breach to gain unauthorized access to accounts on other platforms. The FTC accused Ring of allowing the use of easily guessable passwords, such as “password” and “12345678,” which facilitated account breaches. The FTC also criticized Ring for not taking prompt action to prevent these hacks.

The FTC claimed that over 55,000 U.S. customers had their accounts compromised between January 2019 and March 2020, and in some cases, hackers retained control over these accounts for more than a month.

As a response, Ring made two-factor authentication mandatory for users in February 2020 and introduced end-to-end encryption in 2021, enabling users to encrypt their doorbell videos and limit access to themselves only.

In addition to the $5.8 million settlement, Ring has agreed to establish and maintain a data security program that includes regular assessments for the next two decades. The company will also disclose the extent of its employees’ and contractors’ access to customer data.

Ring’s spokesperson, Emma Daniels, expressed disagreement with the FTC’s allegations and denied any violation of the law in an emailed statement to GreyJournal.