New details emerge about Amazon's Ring staff spying on customers, and also reveals that 55,000 were hacked in 2019

Advertisement
New details emerge about Amazon's Ring staff spying on customers, and also reveals that 55,000 were hacked in 2019
Close-up of Ring doorbell, equipped with a camera and machine learning capabilities, installed outside a home in the Marina Del Rey neighborhood of Los Angeles, California.Smith Collection/Gado/Getty Images
  • The FTC published a proposed order on Wednesday which would require home surveillance giant Ring to pay $5.8 million to customers affected by hacks in 2019.
  • The FTC's complaint revealed 55,000 people were impacted by the 2019 hacks.
Advertisement

The Federal Trade Commission revealed in court documents Wednesday that at least 55,000 U.S. customers were the victims of 2019 hacks targeting Ring, the Amazon-owned home surveillance camera company. It also revealed new details about incidents of Ring employees and contractors spying on customers.

The court documents, which included a complaint and proposed settlement, would require Ring to pay $5.8 million to people affected by Ring's security flaws and consequent hacks.

The FTC complaint revealed that in between June and August 2017, a male Ring employee viewed "thousands" of videos captured on Ring cameras belonging to "at least 81" women, including Ring customers and employees. He was only fired when noticed a coworker noticed he was "only viewing videos of 'pretty girls.'"

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

A different Ring employee, starting in March 2018, personally gave cameras to people and then viewed their videos "without their knowledge or consent." When he left the company in September 2019, he reportedly took copies of some videos with him. The complaint, which cites a whistleblower, says Ring did not know "that anything was amiss."

On another occasion, a customer service representative, who was a contractor not employed for Ring, described having "unfettered access to videos belonging to thousands of customers who never contacted customer service." Previous reporting established that Ring's research and development team, based in Ukraine, has similarly unfettered access to customer videos.

Advertisement

It's unclear how many similar incidents may have occurred. Since Ring didn't implement reliable features to monitor employee access to videos before February 2019, the FTC said, the company has "no idea how many instances of inappropriate access to customers' sensitive video data actually occurred."

Yassi Yarger, a public relations manager for Ring and other Amazon products, told Insider that Ring "promptly addressed these issues on its own years ago, well before the FTC began its inquiry."

"While we disagree with the FTC's allegations and deny violating the law, this settlement resolves this matter so we can focus on innovating on behalf of our customers," Yarger said.

More than 55,000 hack victims

Prior to the publication of Wednesday's complaint, public knowledge about Ring employees spying on customers has been known, but vague. In response to a Senate inquiry, Ring said in a January 2020 letter that over four years, the company received "four complaints or inquiries regarding a team member's access to Ring video data."

The complaint also reveals how many people were the victims of a series of 2019 hacks, which targeted Ring customers in several high profile incidents. Between January 2019 and March 2020, the FTC said in its Wednesday complaint, "more than 55,000 U.S. customers" were the victims of hackers targeting Ring accounts.

Advertisement

"The only place I am aware of this number being public is in our complaint," Elisa Jillson, a senior attorney at the FTC's Bureau of Consumer protection and a lead attorney on the case, told Insider.

The hackers used credential stuffing, where previously-compromised emails and passwords are used to log into another account, and brute force attacks, where log-in information is guessed en masse.

"Through these attacks, bad actors gained access to hundreds of thousands of videos of the personal spaces of consumers' homes, including their bedrooms and their children's bedrooms—recorded by devices that Ring sold by claiming that they would increase consumers' security," the complaint reads.

Media reports have documented how security issues affecting Ring accounts in 2019 allowed hackers to hijack user accounts, watch people from their homes at a remote location, and taunt and harass the victims through a speaker attached to the cameras. The vulnerability was used to harass an eight-year-old girl, in one incident. Some hackers launched a podcast where they hacked into Ring cameras in real time, for entertainment.

These hacks eventually resulted in a class action suit against the company, which is ongoing. In late 2019, more than 3,000 Ring log-ins were published on the open internet, but it was unclear at the time if that was the total number of customers compromised by security issues.

Advertisement

"Terrified" and "traumatized" by hacks

The FTC's Wednesday complaint finally clarifies the scale of Ring's security issues. Jillson said that it was the culmination of an extensive investigation, involving civil subpoenas and requests for information issued to both Ring and other companies.

Ring has historically pushed back against claims that its log-in systems and surveillance cameras have security issues. In a September 2021 filing for the ongoing class action suit Ring emphasized that customers were only affected because their information was leaked on "a separate, external, non-Ring service" and then "reused" to access Ring accounts. But by requiring multi-factor-authentication upon log-in, companies can prevent hacks resulting from compromised usernames and passwords. Meanwhile, parties in the class action claimed they were "terrified" and "traumatized" by the hacks.

The FTC complaint points out that Ring only began rolling out multi-factor-authentication in May 2019, and because it was optional and not required, "less than 2% of customers" adopted the security feature that year.

Jillson declined to specify how long the FTC investigated Ring, prior to Wednesday's complaint and proposed order. But she told Insider that Ring has already agreed to the terms of the settlement. In addition to paying a payout to all eligible consumers, Ring has to delete or destroy all Ring camera recordings "collected before March 1, 2018 and reviewed and annotated by employees or contractors for research and development purposes."

A district court judge in Washington, D.C. has to be assigned the case and approve the terms of the settlement, a formality that could take a few days to a few weeks. Jillson declined to specify the details of the settlement agreement with Ring.

Advertisement

Jillson told Insider that she wanted to emphasize the "broad and striking" nature of the FTC's complaint.

"These are pretty horrendous allegations. It involves spying and harassing in the most private spaces of people's homes, affecting not only adults, but also children. And so it's incredibly important that the FTC take action where there is such egregious conduct."

Got a tip? Contact this reporter at chaskins@insider.com or caroline.haskins@protonmail.com, or via the secure messaging app Signal at +1 (785) 813-1084. Reach out using a nonwork device.

{{}}