Ring, the Amazon-owned company that makes absurdly-popular video doorbells and security cameras, has admitted that it has fired four members of staff after they viewed customers’ videos without authorisation.
The admission came in a letter sent to US Senators who back in November asked a variety of questions about Ring’s security practices in light of rising concerns.
In its response, Ring said that over the last four years it has received “four complaints or inquiries regarding a team member’s access to Ring video data,” and that staff had been fired as a result:
Although each of the individuals involved in these incidents was authorized to view video data, the attempted access to that data exceeded what was necessary for their job functions. In each instance, once Ring was made aware of the alleged conduct, Ring promptly investigated the incident, and after determining that the individual violated company policy, terminated the individual. In addition to taking swift action to investigate and take appropriate disciplinary action in each of these cases, Ring has taken multiple actions to limit such data access to a smaller number of team members. Ring periodically reviews the access privileges it grants to its team members to verify that they have a continuing need for access to customer information for the purpose of maintaining and improving the customer experience.
Recently, as we discussed on the latest episode of the “Smashing Security” podcast, there have been a number of concerning articles in the media, detailing how the cameras have been broken into by hackers, amid claims that Amazon Ring “isn’t even good at pretending to care about your privacy and safety.”
It would be interesting to hear more about the circumstances of precisely what these Ring employees were up to when they accessed the video footage from users’ doorbells without permission, but it somehow feels unlikely that Amazon would be keen to share more details.
What is worth repeating is that it is not only external hackers who pose a threat to the customer data that your company stores.
There is also a considerable threat posed by the staff you have employed and partners you have contracted, especially if you have granted them privileged levels of access to the data. And it doesn’t have to be the case that they wish to steal the data, their interest may simply be in spying on it…