Cisco Agrees to Pay Over $8 Million For Selling Video Surveillance System with Technical Flaws

Experts believe Cisco’s payout to a whistleblower could set a precedent for future lawsuits against vendors who sell products with security vulnerabilities.

• By Haley Samsel
• Aug 06, 2019

Cisco Systems, one of the largest software and technology equipment sellers in the world, will pay $8.6 million to settle lawsuits claiming the company sold video surveillance technology to government agencies despite knowing the software was flawed.

Fifteen states and the District of Columbia, alongside the Justice Department, sued the company for damages under the False Claims Act, which imposes liability to companies who defraud governmental programs. The agencies that will receive payments from Cisco include Homeland Security, the Secret Service, the Federal Emergency Management Agency and several branches of the military, The New York Times reported.

“We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product,” Cisco spokeswoman Robyn Blum said in a statement. “There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture.”

One of the biggest beneficiaries of the settlement is a single individual: James Glenn, a former subcontractor for Cisco in Denmark. Glenn will receive over $1 million for his role as a whistleblower in the case.

He first warned the company in 2008 that a hacker who successfully gained access to one video camera in a system could eventually gain administrative control of the entire network due to software flaws, Reuters reported. Glenn was laid off five months after the disclosure, but noticed in 2010 that the problem had not been fixed: he could still hack into the system. Shortly afterward, he went to the FBI, which opened an investigation, according to Reuters.

Cisco continued to sell the Video Surveillance Manager software through July 2013, when it disclosed the security flaw and released a patch fixing the issue. In its complaint, the Justice Department said the software was “of no value” and did not meet “its primary purpose: enhancing the security of the agencies that purchase it,” according to the Times.

The flaw was based on faulty access controls, which made the products non-compliant with the federal government’s National Institute of Standards in Technology, which determine the security standards that tech companies must use to do business with the government. The compliance issues set the stage for the lawsuit against Cisco, CNBC reported.

Glenn’s lawyer and other industry experts believe the settlement is the first time a whistleblower has gotten a payout in a false claims cyber case. And those experts think that there could be a flurry of similar whistleblower lawsuits filed under the law, seeking to follow in Glenn’s footsteps.

“[The settlement] clearly “clearly provides an opportunity for entrepreneurial plaintiffs or potential plaintiffs to go around looking for more examples like this,” Gregory Klass, a Georgetown University law professor, told Reuters.