In a letter to members of Congress about its security practices, Ring, Amazon’s surveillance camera brand, admitted that it had fired four employees over the past four years for abusing rights to access users’ video data,media reported. Ring sent the letter to five senators on Monday in response to a letter they sent to Ring in November, which raised many questions about the company’s safety practices.
Over the past four years, Ring has received four complaints or inquiries about team members accessing Ring video data. Although everyone involved in these events has access to video data, attempting to access that data is beyond the requirements of their work functions. In each case, ring investigates the incident as soon as it becomes aware of the actions and dismisses the individual as if he or she has violated Company policy.
The incident mentioned by Ring may be related to the report of The Information and Ring’s Interception, which gave the Ukrainian-based research and development team unlimited access to every Ring video created to amazon web servers.
In response to the senator, Ring denied that its research and development team in Ukraine had such access, but did point out that three employees had accessed stored customer video to help maintain Ring’s AWS infrastructure:
… Our research and development team can access public videos and videos of Ring employees, contractors, and friends and family of employees or contractors only with their express consent. In addition, when resolving a specific customer issue, the customer can expressly consent to our customer service department providing temporary access to real-time camera footage. In addition, to maintain Ring’s AWS infrastructure, a very limited number of employees (currently three) have access to stored customer video.
Ring also claims that “it is not aware of any violations of customer personally identifiable information and needs to report it to a government agency.” But the company said it was seeing stolen login credentials from other sites being used to access Ring devices.
Ring noted in the letter that it encourages users to use two-factor authentication, and that new accounts now require two-factor authentication. In a statement to The Verge, Sen. Ron Wyden (D-OR) said Ring needs to do more to protect Ring’s users’ accounts:
The need for two-factor authentication for new accounts is a step in the right direction, but millions of consumers already have Ring cameras at home and are still unnecessarily vulnerabling to hackers. Amazon needs to go further – protecting all Ring devices with two-factor authentication. It’s also disturbing to learn that Ring’s encryption of user video also lags behind that of other companies, which ensurethat only users have encryption keys to access their data.
Ring’s data security practices have come under constant scrutiny, particularly with data shared with law enforcement. In August, for example, Vice reported that the police department had asked Ring to share personal information about people who bought Ring cameras through a subsidy program. Vice reported in September that Ring provided the Georgia State Police with an “active camera” map of the area’s Ring owner. Recently, BuzzFeed News reported that Ring was sued for hacking over Ring’s device.