Whistleblower prompts Cisco into $8.6m settlement

Cisco has agreed to pay $8.6m to settle a whistleblower’s claim involving a cybersecurity flaw.

A whistleblower lawsuit was filed on behalf of a former employee who had worked as a consultant for a Cisco partner company, James Glenn. Consequently, Cisco has agreed to settle a False Claims Act lawsuit of $8.6m. 

Glenn had lost his job after alerting Cisco’s product security incident response team, about vulnerabilities in its video surveillance software in October 2008. 

As a result a whistleblower complaint had been filed by Glenn in 2011, accusing Cisco of “selling and causing others to sell to federal agencies as well as to state and local government entities a video surveillance system that Defendant [Cisco] knew to possess dangerous, undisclosed, and impermissible security weakness,” the complaint wrote

Lawyer, Mike Ronickher, representing Glenn said:

“The problem was that there was some code embedded in the software that left open a loophole so that, as someone with very limited access, you could gain administrative access and so eventually build a backdoor into the system for yourself – and it would not log the creation of that administrator account.”

Essentially anyone could have “free rein” over the software. 

In 2012, Cisco released an updated version of its video surveillance software, more than three years after Glenn identified the problems, as well as issued a best-practice guide. In July 2013, Cisco disclosed the vulnerabilities to its customers and to the public, just under five years after Glenn reported the problem. 

The lawsuit was filed under the False Claims Act, which allows individuals to blow the whistle on misconduct and fraud in federal government contracts and programmes. If their claims are proved, a financial reward is given. 

Out of the $8.6 million, most of the money will go to the federal government and 15 state buyers, with more than $1 million going to James Glenn. 

“We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product,” said Cisco spokeswoman Robyn Blum. “There was no allegation or evidence that any unauthorized access to customers’ video occurred as a result of the architecture.”

It is believed that there will be many more similar cases to come. 

“There’s this culture that tends to prioritize profit and reputation over doing what’s right,” Glenn said in a written statement. “I hope coming forward with my experience causes others in the tech community to think about their ethical mandate.”

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.