Amazon-owned home security camera company Ring has fired employees for improperly accessing Ring users' video data, according to a letter the company wrote to Senators and obtained by Motherboard.
The news highlights a risk across many different tech companies: employees may abuse access granted as part of their jobs to look at customer data or information. In Ring's case this data can be particularly sensitive though, as customers often put the cameras inside their home.
"We are aware of incidents discussed below where employees violated our policies," the letter from Ring, dated January 6, reads. "Over the last four years, Ring has received four complaints or inquiries regarding a team member's access to Ring video data," it continues. Ring explains that although each of these people were authorized to view video data, their attempted access went beyond what they needed to access for their job.
"In each instance, once Ring was made aware of the alleged conduct, Ring promptly investigated the incident, and after determining that the individual violated company policy, terminated the individual," the letter adds. As well as firing workers, Ring has also taken steps to limit such data access to a smaller number of people, the letter reads. It says three employees can currently access stored customer videos.
Do you know anything else insider data abuse, at Ring or elsewhere? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
As The Intercept previously reported, Ring granted a number of workers in Ukraine access to Ring user video for research purposes. In the new letter, Ring says "The R&D team in Ukraine can only access publicly available videos and videos available from Ring employees, contractors, and friends and family of employees or contractors with their express consent."
Ring's letter was in response to one multiple Senators sent to the company in November 2019. In that, Senators Ron Wyden, Chris Van Hollen, Edward J. Markey, Christopher A. Coons, and Gary C. Peters asked Ring multiple questions about the security of Ring's systems.
In response to a wave of incidents where hackers broke into Ring users' accounts and then harassed customers through their devices, Ring has implemented a number of new security features, such as requiring new signups to use two-factor authentication. In December Motherboard found multiple security issues with the Ring platform, such as Ring allowing logins from unknown IP addresses. Ring has since introduced warning messages when someone logs in from a new location.
“Requiring two-factor for new accounts is a step in the right direction, but there are millions of consumers who already have a Ring camera in their homes who remain needlessly vulnerable to hackers. Amazon needs to go further—by protecting all Ring devices with two-factor authentication. It is also disturbing to learn that Ring’s encryption of user videos lags behind other companies, who ensure that only users have the encryption keys to access their data," Senator Wyden said in a statement.
When asked specific questions on the termination of employees who abused data access, a Ring spokesperson told Motherboard in an email, "We do not comment on personnel matters."
Update: This piece has been updated to include a statement from Ring.
Subscribe to our cybersecurity podcast, CYBER.