In a letter to lawmakers about its security practices, Amazon’s Ring admitted that, over the past four years, it has fired four employees for abusing access to user video data (via CNET).
Ring’s letter was sent to five senators on Monday, in response to a letter they sent to Ring in November with questions about the company’s security practices.
Here is what the company said:
Over the last four years, Ring has received four complaints or inquiries regarding a team member’s access to Ring video data. Although each of the individuals involved in these incidents was authorized to view video data, the attempted access to that data exceeded what was necessary for their job functions. In each instance, once Ring was made aware of the alleged conduct, Ring promptly investigated the incident, and after determining that the individual violated company policy, terminated the individual.
(You can read the full letter here.)
The incidents Ring refers to could be related to reports by The Information and The Intercept of Ring giving its Ukraine-based research and development team unrestricted access to an Amazon web server with every Ring video ever created.
In its response to the senators, Ring denied that its Ukraine-based R&D team had this level of access, but it did reveal that three employees are able to access stored customer videos to help maintain Ring’s AWS infrastructure:
...our R&D teams can only access publicly available videos and videos available from Ring employees, contractors, and friends and family of employees or contractors with their express consent. Additionally, customers may give their express consent to our customer service department to provide temporary access to their live camera feed when troubleshooting a specific customer issue. Aside from this, a very limited number of employees (currently three) have the ability to access stored customer videos for the purpose of maintaining Ring’s AWS infrastructure.
Ring declined to confirm this to The Verge, saying it doesn’t comment on personnel matters.
In the letter, Ring claimed that it was “not aware of any breach of a customer’s personally identifiable information that would require reporting to government agencies,” but it said that it is seeing stolen login credentials from other sites being used to access Ring devices — something the company also said in response to the reports of data leaks in December.
In the letter, Ring said that it’s encouraging the use of two-factor authentication to help combat that issue, which it now proactively requires for new accounts. In a statement to The Verge, Sen. Ron Wyden (D-OR), one of the five senators who wrote to Ring in November, said that Ring needs to do more to protect Ring users’ accounts:
Requiring two-factor for new accounts is a step in the right direction, but there are millions of consumers who already have a Ring camera in their homes who remain needlessly vulnerable to hackers. Amazon needs to go further – by protecting all Ring devices with two-factor authentication. It is also disturbing to learn that Ring’s encryption of user videos lags behind other companies, who ensure that only users have the encryption keys to access their data.
Ring tells The Verge that the reason it hasn’t turned on two-factor authentication for all existing users is because that could lock current customers out of their cameras, cameras they may rely on for security. There may be some truth to that: Ring founder Jamie Siminoff also told my colleague Dan Seifert that forcing existing customers to adopt two-factor authentication would require Ring to log everyone out of their systems. If so, users who couldn’t remember or retrieve their Ring login info might be in trouble.
Ring’s data security practices have come under continued scrutiny, particularly the data it shares with law enforcement departments. For example, in August, Vice reported that police departments have asked Ring to share the personal information of people who have purchased Ring cameras through subsidy programs. In September, Vice reported that Ring gave a Georgia police department an “active camera” map of Ring owners in the area. Most recently, BuzzFeed News reported that Ring is being sued for following incidents of hackers taking over Ring devices.
Update January 8th, 7:37PM ET: Added statement and additional information provided by Ring.