North Carolina joins $6 million settlement with Cisco over flawed security software

The N.C. Department of Justice said Thursday it had finalized a multistate settlement with technology company Cisco over a flawed security surveillance system that the company sold to several states, including North Carolina.

The flaws in the system’s software made it possible for those with unauthorized access to break into the system.

North Carolina joined 17 other states and the District of Columbia in suing Cisco over the flaws. The total settlement for Cisco was $6 million, of which North Carolina will receive $522,257.36.

“Companies have a responsibility to safeguard their systems and fix flaws they uncover,” North Carolina Attorney General Josh Stein said in a statement. “Cisco failed to address known flaws in its software and put sensitive surveillance data at risk of being hacked. My office will continue to hold companies accountable when they don’t work to protect their products and data.”

The lawsuit dates back to 2009, when a former Cisco employee turned whistleblower came forward and said Cisco knew that it had a security flaw in the surveillance software that it sold to individual states and the federal government.

The software, which controlled security camera systems, would permit unauthorized access to the systems because of the flaw, allowing for the potential of someone to manipulate security cameras and recorded footage.

However, while Cisco apparently knew of the flaw in 2009, it didn’t report it or remedy it until 2013, after an investigation had been started, according to the N.C. DOJ.

Cisco stopped selling the software in 2014, the company said in a blog post.

An investigation found that no hack or unauthorized access had ever taken place — and the software was shortly discontinued from use.

The whistleblower, James Glenn, lost his job after reporting the flaw through the federal False Claims Act and state whistleblower acts, according to the Associated Press.

Those laws allow individuals to report fraud and misconduct in government contracts and can get financial awards if the claims are successful. Glenn’s attorneys said his is the first cybersecurity case successfully litigated under the False Claims Act, the AP reported. Glenn received a $1.6 million settlement from Cisco, the company said in a blog post.

“The tech industry needs to fulfill its professional responsibility to protect the public from their products and services,” Glenn said in a statement. “There’s this culture that tends to prioritize profit and reputation over doing what’s right. I hope coming forward with my experience causes others in the tech community to think about their ethical mandate.”

Cisco downplayed the issue in a blog post on Wednesday. “While this is a legacy issue which no longer exists,” the company said, “it matters to us to recognize that times and expectations have changed.”

Cisco said the software was made by a company called Broadware, which it said it acquired in 2007. Because Broadware built the system using an open architecture that allowed customization, Cisco said, it also made it “theoretically” open to hacking as well. Though, the company noted, there was no evidence that any system was ever breached.

The software system was primarily designed for use in airports, government buildings and military bases, as well as other areas, according to PC Magazine.

Cisco has a large presence in Research Triangle Park and employees thousands of people in North Carolina.

The financial hit shouldn’t affect the company too much from a monetary standpoint — the company brings in billions of dollars every year.

Cisco said the total sales of the flawed software were “well under one one-hundredth of one percent of Cisco’s total sales.”

This story was produced with financial support from a coalition of partners led by Innovate Raleigh as part of an independent journalism fellowship program. The N&O maintains full editorial control of the work. Learn more.

Related stories from Raleigh News & Observer

Zachery Eanes is the Innovate Raleigh reporter for The News & Observer and The Herald-Sun. He covers technology, startups and main street businesses, biotechnology, and education issues related to those areas.