Cisco has agreed to pay $8.6 million to settle claims it sold video security software that had a vulnerability that could have opened federal, state and local government agencies to hackers.
Under terms of the settlement Cisco will pay $2.6 million to the federal government and up to $6 million to 15 states, certain cities and other entities that purchased the product. The states that settled with Cisco are California, Delaware, Florida, Hawaii, Illinois, Indiana, Minnesota, Nevada, New Jersey, New Mexico, New York, North Carolina, Tennessee, Massachusetts and Virginia.
According to Cisco, the software, which was sold between 2008 and 2014 was created by Broadware, a company Cisco bought in 2007 for its surveillance video technology and ultimately named it Video Surveillance Manager.
“Broadware intentionally utilized an open architecture to allow customized security applications and solutions to be implemented. Because of the open architecture, video feeds could theoretically have been subject to hacking, though there is no evidence that any customer’s security was ever breached,” wrote Mark Chandler, Cisco executive vice president, Chief Legal Officer and General Counsel. “In 2009, we published a Best Practices Guide emphasizing that users needed to pay special attention to building necessary security features on top of the software they were licensing from us. And in July, 2013, we advised that customers should upgrade to a new version of the software which addressed security features. All sales of the older versions of the software had ended by September, 2014.”
Cisco wrote of vulnerabilities and a patch for the problems in its Video Surveillance Manager in 2013 saying “multiple security vulnerabilities exist in versions of Cisco VSM prior to 7.0.0, which may allow an attacker to gain full administrative privileges on the system.”
The case was brought as a whistleblower lawsuit in 2011 against Cisco “for selling and causing others to sell to federal agencies as well as to state and local government entities a video surveillance system that Defendant knew to possess dangerous, undisclosed, and impermissible security weaknesses.”
Law firm Phillips & Cohen filed the lawsuit alleging violations of a federal fraud law, the False Claims Act, and similar state laws on behalf of James Glenn, a former security consultant for a Danish company that is a Cisco partner, in federal district court in Buffalo, NY, in 2011. Fellow law firm Constantine Cannon LLP was co-counsel in the suit. The lawyers say this is one of the first time a company has been made to pay a False Claims finding.
The Danish company fired Glenn in 2009 after he submitted a detailed report to Cisco identifying what he believed to be security flaws.
“The whistleblower submitted several detailed reports to Cisco allegedly revealing that anyone with a moderate grasp of network security could exploit this software to gain unauthorized access to stored data, bypass physical security systems, and gain administrative access to the entire network of a government agency, all without detection. Despite the repeated internal warnings of VSM’s flaws, Cisco allegedly continued to sell the vulnerable software to high-profile infrastructure targets," according to Constantine Common.
“I was very concerned about the possibility that someone might endanger public safety by hacking into government systems,” Glenn said in a statement. “I filed the [whistleblower] qui tam lawsuit to make the government aware of the problem and to get it fixed. I am glad that Cisco replaced the affected product and that the case has been settled.”
“Cybersecurity products are an important piece of government spending these days, and it’s essential that those products comply with critical regulatory and contractual requirements,” said Claire Sylvia, a whistleblower attorney and partner at Phillips & Cohen in a statement. “The tech industry can expect whistleblowers to continue to step forward when serious problems are ignored, thanks to laws that reward and protect them.”