Will Cisco pay all its customers for selling vulnerable products as it paid US government?

Currently it is no longer uncommon to hear about cases where technology companies intentionally omit the security issues present in their products or services. This time, the company involved is Cisco, which has just reached an agreement to pay $8.6M USD after admitting that it sold surveillance software vulnerable to multiple variants of cyberattack, reported experts in system audit.

As mentioned, the company was fully aware of the security flaws of the software in question, yet it kept selling it to hospitals and other organizations without even releasing update patches for more than 4 years. The agreement was announced by the U.S. Department of Justice (DOJ).

After extensive investigation, system audit experts concluded that software flaws could be exploited by hackers to access surveillance systems, turn cameras on or off at their will, delete records and even compromise other devices connected to the monitoring system, such as alarms or electrical locks. As if that wasn’t enough, the vulnerabilities were easy to exploit for any hacker.

A spokesman for the company was pleased to have reached an arrangement with the U.S. authorities “We have solved this incident; I would like to add that there is no evidence or complaints about possible unauthorized access to our customers’ surveillance systems as a result of this software flaws,” the Cisco spokesperson said. However, James Glenn, an informant in the case, points out that a hacker could have compromised surveillance systems undetected.

This case can be an important background, as it is the first time that a technology company is required to pay compensation for not having the right cybersecurity measures in its products, experts in system audit report.

In addition, the U.S. government is conducting extensive scrutiny over its multimillion-dollar contracts with technology companies as some officials have mentioned, cybersecurity was not a factor to consider when these agreements were signed. Many experts are concerned that the government will authorize the purchase of technology products and services that are very easy to hack, compromising sensitive information in more ways than we might think.

“This is the case for this specific Cisco product. Agencies such as the Secret Service, the Federal Emergency Management Agency, and some military facilities used the compromised software, even the New York police and some prisons had this system,” said system audit experts.

The information revealed by Glenn, who used to work for a Danish company associated with Cisco, helped file a lawsuit in a New York District Court under the False Claims Act, which allows individuals to file lawsuits on behalf of the government in cases where a company could commit fraud. As this act allows, the federal government and some state governments joined the lawsuit against Cisco; 80% of the compensation will go to governments, while the remaining 20% will go to Glenn and his legal advisers.

Reports from the International Institute of Cyber Security experts (IICS) claim that Glenn reported those security flaws repeatedly while working with NetDesign, a Cisco subcontractor. However, the informant never obtained a satisfactory response from the company; he was eventually fired from the company in 2009.