Ring has stated that the employees involved in these breaches are no longer employed by the company, according to a draft notice of notification to affected customers.
Furthermore, the FTC accused Ring of failing to respond adequately to multiple reports of credential stuffing, a technique in which hackers use stolen user credentials from one breach to gain unauthorized access to accounts on other platforms. The FTC claimed that Ring allowed the use of easily guessable passwords, making it easier for hackers to compromise accounts. Additionally, the company was criticized for not taking swift action to prevent account breaches.
According to the FTC, more than 55,000 U.S. customers had their accounts compromised between January 2019 and March 2020 due to these vulnerabilities. In some cases, hackers retained access to compromised accounts for over a month.
In response to these issues, Ring made two-factor authentication mandatory for users in February 2020. The company also introduced end-to-end encryption in 2021, providing users with the ability to encrypt their doorbell videos and prevent unauthorized access.
In addition to the $5.8 million settlement, Ring has agreed to establish and maintain a comprehensive data security program with regular assessments for the next 20 years. The company is also required to disclose the extent of its employees’ and contractors’ access to customer data.
Ring spokesperson Emma Daniels stated in an emailed statement to TechCrunch that the company disagrees with the FTC’s allegations and denies any violation of the law.
The settlement serves as a reminder to companies in the tech industry of the importance of safeguarding customer data and maintaining strong privacy practices.