Cisco to Pay $8.6 Million to Settle Government Claims of Flawed Tech
01 thg 8, 2019
WASHINGTON — Cisco Systems agreed on Wednesday to pay $8.6 million to settle claims that it sold video surveillance technology that it knew had a significant security flaw to federal, state and local government agencies.
Cisco will pay civil damages in connection with software that it sold to various government agencies, including Homeland Security, the Secret Service, the Army, the Navy, the Marines, the Air Force and the Federal Emergency Management Agency, according to a government complaint unsealed on Wednesday.
Fifteen states, including New York and California, and the District of Columbia joined the Justice Department in the claim against Cisco, one of the world’s largest sellers of software and equipment to businesses and governments. The case was filed in the Federal District Court for the Western District of New York under the False Claims Act, which addresses fraud and misconduct in federal government contracts.
The government said the video surveillance software it bought from Cisco was “of no value” because it did not “meet its primary purpose: enhancing the security of the agencies that purchase it.” In many cases, the Cisco software actually reduced the protection provided by other security systems, the complaint said.
Cisco said in a statement that it was pleased to resolve the dispute. “There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture,” Robyn Blum, a Cisco spokeswoman, said in a statement.
The software vulnerability was identified in 2008 by a whistle-blower, James Glenn, who was working as a Cisco subcontractor in Denmark when he discovered that he could hack into the video software and take over the surveillance system without being detected, according to his lawyers at Constantine Cannon.
That September, Mr. Glenn told Cisco that he had discovered a flaw that hackers could use to gain unauthorized access to the video surveillance system, manipulate information and bypass security measures, Mr. Glenn’s lawyers told The New York Times.
Mr. Glenn was laid off as part of what the company said was a cost-cutting measure five months after he reported the vulnerability. A year later, in June 2010, he realized that Cisco had not fixed the flaw and he could still hack into the surveillance system. Soon after, he contacted the F.B.I. to discuss the issue.
Cisco continued to sell the software with the vulnerability until July 2013, when the company let customers know about the flaw and released a way to fix the problem.