The FTC settled with Ring LLC (an Amazon subsidiary) for $5.8 million and a comprehensive order following allegations that Ring allowed employees and contractors to access customers' private videos without authorization. Ring employees used their access to watch videos of female customers in private spaces including bedrooms and bathrooms.
Amazon Ring — Employee Surveillance FTC Settlement ($5.8M)
What Went Wrong
Ring granted overly broad access to customer video data to employees and third-party contractors without legitimate business need. At least one employee watched thousands of videos from female customers. The FTC also found Ring failed to implement MFA, allowed credential stuffing attacks due to lack of rate limiting, and failed to implement basic security practices for a device with cameras in people's homes.
Lessons Learned
Access controls for customer data must follow minimum necessary/least privilege principles. Video surveillance data warrants heightened protection. Third-party contractor access to sensitive customer data requires the same rigorous access controls as employee access. MFA and rate limiting are baseline security requirements for consumer devices.
Source:
Official Enforcement Record ↗