Cisco has agreed to pay $8.6m to settle a lawsuit filed by a client alleging the networking giant knowingly sold video surveillance kit containing serious security vulnerabilities.
US law firm Phillips & Cohen said it filed a qui tam, or whistleblower, lawsuit on behalf of James Glenn, a consultant for a Cisco partner company of Danish origin. The firm is said to have fired Glenn after he submitted a report to Cisco detailing the flaws.
Although Cisco eventually fixed the software flaws, the lawsuit alleged that the firm potentially exposed the federal and state-level agencies that used the equipment.
The settlement covers sales of Cisco’s Video Surveillance Manager from 2007 to 2014. The system allows customers to manage and connect multiple internet-connected cameras through a central server.
Whistleblower attorney, Claire Sylvia, argued that many federal and state agencies depended on Cisco’s video surveillance systems to help monitor security at their facilities.
“Our client raised important security concerns. We alleged in our complaint that the software flaws were so severe that they compromised the security of the video surveillance systems and any computer system connected to them,” said Sylvia.
“Cybersecurity products are an important piece of government spending these days, and it’s essential that those products comply with critical regulatory and contractual requirements. The tech industry can expect whistleblowers to continue to step forward when serious problems are ignored, thanks to laws that reward and protect them.”
Cisco will pay the federal government and 15 states, as well as various cities, counties and other regional US administrations. Glenn himself will receive around $1.6m.
According to Cisco, this payment settles litigation originally brought in 2011. It revealed in a blog post that the software in question came from an acquisition of Broadware in 2007.
“Because of the open architecture, video feeds could theoretically have been subject to hacking, though there is no evidence that any customer’s security was ever breached. In 2009, we published a Best Practices Guide emphasizing that users needed to pay special attention to building necessary security features on top of the software they were licensing from us,” explained general counsel, Mark Chandler.
“In July, 2013, we advised that customers should upgrade to a new version of the software which addressed security features. All sales of the older versions of the software had ended by September, 2014.”