Smart doorbell company Ring said that it has fired four employees over the past four years for inappropriately accessing customer video footage.
The disclosure comes in a recent letter to senators (in response to a November inquiry into the company’s data policies) from Amazon-owned Ring as it attempts to defend the privacy of its platform, which has been plagued by data privacy incidents over the past year. In the letter, Ring said the former employees were authorized to view video data, but their attempted access to the data “exceeded what was necessary for their job functions.”
“In each instance, once Ring was made aware of the alleged conduct, Ring promptly investigated the incident, and after determining that the individual violated company policy, terminated the individual,” according to Ring’s Jan. 6 letter, obtained by Motherboard. “In addition to taking swift action to investigate and take appropriate disciplinary action to each of these cases, Ring has taken multiple actions to limit such data access to a smaller number of team members.”
Ring said employees have access to live feeds only when customers grant them permission, solely for troubleshooting a device issue. The company said it periodically reviews the access privileges that it grants to employees to verify their need for customer data access.
It’s not clear how long each employee was able to view the feeds, or how many customers were impacted. Threatpost has reached out to Amazon for further details.
However, Ring isn’t alone in facing challenges around weeding out employees who may be accessing sensitive, personal data. In May 2019, a report outlined how Snap employees were abusing their access to private user data, which includes location data, saved Snaps and phone numbers. And a report in 2018 found that Facebook had fired an employee who allegedly abused his access to data to stalk women.
Ring Data Privacy Disclosures
Ring sought to defend its data policies in its letter, responding to criticism from U.S. Senators Ron Wyden (D-Ore.), Chris Van Hollen (D-Md.), Chris Coons (D-Del.), Gary Peters (D-Mich.) and Edward Markey (D-Mass.). The senators asked Ring to disclose how it’s securing Ring home-security device footage, and who is allowed to access that footage.
The senators’ demands came in the midst a slew of privacy issues with the connected device, including several disturbing stories emerging in December about hackers hijacking Ring devices and talking to strangers through them. Concerns have also cropped up around Ring’s acknowledgement that it’s partnering with more than 600 police departments across the country to allow them to request access to camera footage from camera owners.
Ring’s letter this week noted that it continues to see stolen credentials and passwords from other applications and sites being used by hackers to log into users’ Ring devices. The company said it has rolled out a campaign to educate customers on “how to better protect their online accounts,” including prompts for two-factor authentication.
“Our security team investigated these incidents and found no evidence of an unauthorized intrusion or compromise of Ring’s systems and networks,” Ring said.
Senators also demanded that Ring address a separate report earlier this year that alleged that Ring employees in Ukraine were provided with “virtually unfettered access” to a folder containing every video created by every Ring camera globally, and that some U.S. Ring executives and engineers were given “highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras.”
In response, Ring said this week that the research-and-development team in Ukraine does not have unrestricted access to its video database: “The R&D team in Ukraine can only access publicly available videos and videos available from Ring employees, contractors and friends and family of employees or contractors with their express consent,” it said. “We use these videos to deliver high-quality services and to maintain and improve the customer experience.”
Some, such as Wyden (one of the senators who penned the original November letter to Ring) don’t think that Ring’s updates are enough, particularly its response to the slew of December customer-device hacks.
“Requiring two-factor for new accounts is a step in the right direction, but there are millions of consumers who already have a Ring camera in their homes who remain needlessly vulnerable to hackers,” Wyden told media outlets. “Amazon needs to go further—by protecting all Ring devices with two-factor authentication.”
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.