Cisco Systems has agreed to pay US$8.6 million to settle a lawsuit that alleges the tech giant sold video security software with known security vulnerabilities to US federal and state governments.
The litigation, originally brought in 2011, was filed under the False Claims Act and alleged that one of Cisco's legacy software lines, Cisco Video Surveillance Manager, did not meet its own cybersecurity standards. The individual who originally alerted the government to the software’s issues worked for NetDesign, a Denmark-based Cisco partner.
NetDesign is a privately held firm that builds and manages customisable IP communications, networking and security solutions for customers. Through his legal counsel, Glenn said he had been working on a video surveillance project with the Danish police when he discovered a vulnerability that could allow a hacker to first compromise the video LAN and then easily gain access to other parts of a businesses' network.
Cisco, for its part, said that evolving security standards triggered the need for the company to acknowledge and reimburse customers for the flawed video surveillance software, according to Mark Chandler, Cisco's executive vice president and chief legal officer, in a blog post published by the San Jose, Calif.-based tech giant Wednesday.
"Evaluating these facts today, we’ve now agreed to make a payment that includes, what is in effect, a partial refund to the US federal government and [certain] states. … While this is a legacy issue which no longer exists, it matters to us to recognise that times and expectations have changed," Chandler wrote.
The software caught in the middle of the lawsuit was created by Broadware, a company that Cisco acquired in 2007. According the blog post, Broadware at the time intentionally built its products using an open architecture, which allowed for the creation of customised security applications. But that same open architecture could have allowed for video feeds to be compromised, Chandler wrote.
Via the terms of the settlement, Cisco will pay US$2.6 million to the federal government and up to US$6 million to 15 states, the District of Columbia, and certain cities, counties and political subdivisions. The states included in the settlement are California, Delaware, Florida, Hawaii, Illinois, Indiana, Minnesota, Nevada, New Jersey, New Mexico, New York, North Carolina, Tennessee, Massachusetts and Virginia.
The settlement also includes a payment of about US$1.6 million to Glenn, who said in the suit that he contacted Cisco about the potential flaws within Video Surveillance Manager in 2008, but that Cisco failed to respond and continued to sell the cameras and software. Through his attorney, Glenn said he was fired in 2009 at Cisco's behest after he submitted a detailed report to Cisco on the vulnerability.
Cisco said that there is no evidence that any customer using the video surveillance products was ever breached. The company issued an update to address security for the software in 2013, and in 2014 discontinued sales of older versions of Cisco Video Surveillance Manager.