NYS Attorney General has been the most active state attorney general in terms of going after entities that don’t secure data properly. The following is from her latest press release:
NEW YORK – New York Attorney General Letitia James secured $450,000 from three companies that distribute eufy home security video cameras for failing to secure consumers’ private home security videos. The companies, Fantasia Trading LLC, Power Mobile Life LLC, and Smart Innovation, LLC distribute a line of video cameras, video doorbells, and video smart locks under the eufy brand. An investigation by the Office of the Attorney General (OAG) found that video streams from the cameras were not always securely encrypted and could be accessible to anyone with the relevant link without authentication. The settlement requires these companies to take steps to ensure stronger protections for customers’ data and pay $450,000 in penalties and costs.
[…]
In November 2022, a security researcher publicly disclosed tests indicating that marketing claims about the eufy products’ security and “end-to-end encryption” of data might not be accurate. The OAG opened an investigation focused on a line of eufy-branded internet-enabled video cameras, video doorbells, and video locks distributed by Fantasia Trading, Power Mobile Life, and Smart Innovation. The marketing for these home security products assured consumers that their data would be kept private and secure.
The OAG’s investigation revealed that, in certain situations, video sent over the internet from eufy home security products was not protected by end-to-end encryption, and that at least a portion of the connection did not use any type of encryption at all. The investigation also uncovered that an active video stream could be accessed by anyone with the relevant URL, without authentication, and that it may have been possible to deduce the URL without obtaining it from a user. The companies had not previously identified these security vulnerabilities because they did not have the necessary processes in place to test their safeguards or to identify risks to the security and privacy of consumers’ video.
As a result of this settlement, Fantasia Trading, Power Mobile Life LLC, and Smart Innovation will pay $450,000 in penalties and costs and take steps to ensure the eufy home security products they sell better protect consumers’ private videos. The agreement requires that the companies regularly substantiate that the developer of the eufy home security products:
- Maintains a comprehensive information security program designed to protect the security, confidentiality, and integrity of consumer information;
- Uses secure software development processes, including the use of third-party tools for testing software for security vulnerabilities;
- Maintains a vulnerability management program that includes regular penetration testing and vulnerability testing; and
- Implements appropriate encryption processes, including the encryption of video in storage and in transit.
Related: Anker Tries To Bullshit The Verge About Security Problems In Its Eufy ‘Smart’ Camera