Cisco Settles for $8.6M to End Cybersecurity Whistleblower Case
The tech titan settled with federal, state and local agencies in a whistleblower case involving cybersecurity issues with video surveillance software.
The False Claims Act (FCA) allows whistleblowers to report fraud and misconduct in federal contracting and collect financial rewards when the claims are successful. (Johannes Weber)
SAN FRANCISCO — Cisco Systems (Nasdaq: CSCO) has agreed to settle a whistleblower’s lawsuit that alleged the tech giant improperly sold video surveillance software with known vulnerabilities to U.S. federal and state governments.
Rather than being rewarded for his 2008 discovery, James Glenn lost his job, according to the lawsuit he filed under the federal False Claims Act (FCA), which was unsealed July 31 with the announcement of an $8.6 million settlement, reports AP.
The settlement marks the first-ever payout on a FCA case brought over failure to meet cybersecurity standards. Most of the settlement money will be paid to the federal government and 15 state buyers, and more than $1 million will go to Glenn.
The FCA allows whistleblowers to report fraud and misconduct in federal contracting and collect financial rewards when the claims are successful. Glenn’s attorneys said his is the first cybersecurity case successfully litigated under the law.
After the lawsuit was unsealed, Cisco issued a statement saying it was “pleased to have resolved” the dispute and that “there was no allegation or evidence that any unauthorized access to customers’ video occurred” as a result of the product’s architecture. But it added that video feeds could “theoretically have been subject to hacking.”
In addition to commercial airports, the software is used by the Pentagon, U.S. Secret Service and Department of Homeland Security, AP reports.
According to the complaint, Glenn, then a Denmark-based employee of Cisco partner company Net Design, contacted Cisco in November 2008. He said he had discovered a flaw in Cisco’s proprietary surveillance camera software that not only made it easy for a would-be attacker to access the systems running the devices, but to also hack deeper into those systems after gaining entry.
Glenn made the discovery after participating in a so-called “own medicine” initiative by his company, where employees security test equipment and software they’re using or working on.
However, Cisco kept the vulnerability quiet for five years, not issuing a security alert until 2013, when it acknowledged “multiple security vulnerabilities” in the software.
NetDesign fired Glenn in March 2009, blaming his termination on a need to cut costs, according to the company. Two years later, after Glenn’s sister notified the FBI, a lawsuit was filed claiming Cisco had defrauded U.S. federal, state and local governments who purchased the “mission-critical” Video Surveillance Manager software system.
The software flaw hinged on faulty access controls, making it too easy for anyone to access the equipment. This made the products non-compliant with the federal government’s National Institute of Standards in Technology (NIST) framework, which dictates the security measures required by tech companies wishing to do business with the federal government.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Related Content
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.
A FREE subscription to the top resource for security and integration industry will prove to be invaluable.
