DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

D-Link Agrees to Make Security Enhancements to Settle FTC Litigation

Posted on July 2, 2019 by Dissent

Smart home products manufacturer D-Link Systems, Inc., has agreed to implement a comprehensive software security program in order to settle Federal Trade Commission allegations over misrepresentations that the company failed to take reasonable steps to secure its wireless routers and Internet-connected cameras.

The settlement ends FTC litigation against D-Link stemming from a 2017 complaint in which the agency alleged that, despite claims touting device security, vulnerabilities in the company’s routers and Internet-connected cameras left sensitive consumer information, including live video and audio feeds, exposed to third parties and vulnerable to hackers.

“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”

Despite promoting the security of its products by claiming it offered “advanced network security,” D-Link failed to perform basic secure software development, including testing and remediation to address well-known and preventable security flaws, according to the FTC’s complaint. These flaws included using hard-coded login credentials on its D-Link camera software with the easily guessed username and password, “guest,” and storing mobile app login credentials in clear, readable text on a user’s mobile device.

As part of the proposed settlement, D-Link is required to implement a comprehensive software security program, including specific steps to ensure that its Internet-connected cameras and routers are secure. This includes implementing security planning, threat modeling, testing for vulnerabilities before releasing products, ongoing monitoring to address security flaws, and automatic firmware updates, as well as accepting vulnerability reports from security researchers.

In addition, D-Link is required for 10 years to obtain biennial, independent, third-party assessments of its software security program. The assessor must keep all documents it relies on for its assessment for five years and provide them to the Commission upon request. The settlement also requires the assessor to identify specific evidence for its findings—and not rely solely on the assertions of D-Link’s management. Finally, the order gives the FTC authority to approve the third-party assessor D-Link chooses.

Under this settlement, D-Link has the option to have the assessor certify its compliance with the secure product development standard set by the International Electrotechnical Commission, an international standard setting organization. If the company successfully obtains the necessary compliance certifications required of the standard, D-Link will be deemed in compliance with the order’s comprehensive security program requirement. This provision, however, does not apply if D-Link provides any misleading or false information during its biennial audit or assessment process.

The Commission vote to accept the proposed consent agreement with D-Link was 5-0. The FTC filed the proposed settlement in the U.S. District Court for the Northern District of California on July 1, 2019.

NOTE: Stipulated final orders have the force of law when approved and signed by the District Court judge.

Source: Federal Trade Commission

Related posts:

  • FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
  • FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and Cameras
  • ASUS Settles FTC Charges That Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk
  • Equifax Reaches $1.4 Billion Data Breach Settlement in Consumer Class Action; Also Agrees to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach
Category: Business SectorCommentaries and AnalysesOf NoteU.S.

Post navigation

← Key Biscayne recovering from cyberattack after hackers hit a third city in Florida
US Cyber Command issues alert about hackers exploiting Outlook vulnerability →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.