FTC charges Ring over 'disregard' for customer data security

Chip Somodevilla/Getty Images

The Federal Trade Commission has proposed stronger security protocols for home video surveillance company Ring after years of mounting concern over data privacy.

Home security camera company Ring is back in federal crosshairs as the Federal Trade Commission announced charges against the company on Wednesday for compromising the data privacy of its customers. 

Detailed in a proposed injunction, the FTC alleges that the Amazon-owned company allowed any employee or contractor to be able to access consumers’ private videos, stemming from a lack of fundamental security and privacy protections. 

This threat also extended to hackers, who exploited similar security gaps to control customers’ accounts and devices, all without user consent.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

Cyberattacks on Ring data were recorded in 2017, 2018 and 2019. The FTC says that the company failed to take basic preventative security measures, such as implementing multi-factor authentication, despite multiple hacking incidents.

Roughly 55,000 U.S. customers were impacted by Ring’s security lapses, with some attacks going as far as hijacking Ring cameras to illegally surveil and verbally harass customers.

“Ring’s sloppy implementation of the additional security measures hampered their effectiveness,” the FTC noted.

The order mandates Ring pay $5.8 million in customer refunds, and requires that Ring delete or destroy all pre-March 2018 recordings of customers within 30 days following the entry of the order and destroy or delete any products — like algorithms or other company models — produced from these hacks within 90 days.

The FTC is also ordering Ring to develop a comprehensive data privacy plan within 180 days following the order’s entry, and implement it for 20 years. Specific details required in the data privacy plan include employee training, vulnerability testing and implementation of sufficient authentication or login technology.

The Commission approved this complaint in a 3-0 vote, submitted to a U.S. District Court in Washington, D.C.

Prior to this ruling, Ring came under congressional scrutiny in 2020, with a House Subcommittee on Economic and Consumer Policy reviewing the company’s usage of facial recognition biometrics and related privacy concerns. 

These concerns persisted into 2022, when Ring disclosed it provided video footage to law enforcement without user consent, according to a letter from Amazon leadership sent in response to Sen. Ed Markey, D-Mass.