An 8-year-old girl from Desoto County, Mississippi experienced a terrifying ordeal last month when a hacker accessed a Ring security camera in her bedroom. The girl was playing in her room when an eerie song came through the camera’s speaker, followed by a man’s voice identifying himself as Santa Claus and encouraging her to “destroy” her room and break things.
The frightening early December incident was captured on video by the device. The family had just installed the camera four days prior as a safety precaution.
In a statement, Ring officials said the incident was “in no way related” to a breach of the company’s security and instead that customers need to take precautions such as two-factor authentication and strong passwords to prevent hacking.
While the incident is still being investigated by law enforcement, it is one of several recent cases of people being terrorized by hackers through the exact devices they thought would help keep them safe—presenting a danger to customers and a major potential liability for the manufacturers and software companies involved in the products.
“It is shocking that something like that can happen, but I am not surprised,” said Erica Rangel, Broker, Burns & Wilcox, Chicago, Illinois. “With the Internet of Things (IoT) and so many household items connected to the internet these days, anything is susceptible to hackers.”
A growing threat
The risks of security camera breaches extend far beyond a jarring invasion of privacy. Hackers could use data from home security cameras to learn a family’s habits and ultimately victimize them financially or physically.
With the Internet of Things (IoT) and so many household items connected to the internet these days, anything is susceptible to hackers.
“Luckily in this situation, nothing happened to the little girl, but what if the man was just outside in a van and told the girl to leave, and he kidnapped her?” Rangel said. “This story could have become something much worse.”
The challenge of keeping sensitive data safe from intrusion is top of mind for both individuals as well as businesses. A 2018 White House report estimated that “malicious cyber activity” cost the U.S. economy between $57 billion and $109 billion in 2016. For companies, the need for Cyber & Privacy Liability Insurance has never been greater.
“Both sides of the table—the individual and organizations—need to look at prevention, detection and insurance,” said Matthew Lefchik, Director, Cyber Risk Management of Node International, a managing general agent (MGA) dedicated to digital, cyber and technology-related insurance and reinsurance solutions that was recently acquired by H.W. Kaufman Group. “Combining all three are how you build cyber resilience.”
The very same week as the incident in Mississippi, someone hacked into a home surveillance camera positioned in a Nebraska family’s living room and spoke to a young girl as she watched TV. “What are you watching?” the voice asked, and then later, “What are you eating?” In this case, Ring again said its systems were not compromised and pointed to username and password vulnerabilities.
In yet another early December incident, a Florida family’s Ring camera was hacked by a man who used racial slurs when asking parents about their 15-year-old son who was not in the camera’s view during the attack, leading the parents to believe the stranger had been spying on them through the camera for some time. In response, Ring officials said they identified that login information for one of the family’s external accounts had been exposed in a data breach unrelated to the company.
An Alabama homeowner filed a proposed class action lawsuit against Ring and Amazon on December 26; the homeowner’s children were playing basketball in the driveway when a hacker addressed them using the speaker function of the family’s Ring security camera. The suit alleged that because the cameras do not function unless connected to the internet and are not adequately protected against cyberattacks, they are “fatally flawed.”
When a cyberattack is due to a security issue or vulnerability on the part of a manufacturer or software developer, the company may face lawsuits, product recalls or the need for expensive repairs. A Cyber & Privacy Liability Insurance policy can cover these costs, including legal counsel and settlements, regulatory compliance, forensic support, and income loss due to business interruption or lost clients. A Consequential Reputational Damage policy is also available as an add-on, Lefchik said.
“Following a cyberattack, companies are often in the limelight and under the microscope. The general public knows more about what is going on with your organization and you need to look at your overall brand and any reputational damages,” he said. “This policy can help overcome damages.”
Although it is not possible to say for sure whether Ring could be held liable for the recent cyberattack incidents, there are situations when Cyber & Privacy Liability Insurance coverage may not apply, Rangel said. For example, Ring may have a responsibility to inform individuals about the security exposures, but would not be considered liable for hacking-related damages because there was not a data breach of the company’s system.
“If the breach did not happen through Ring’s system, the insurance policy would not respond,” she said. “The trigger of the policy has to be through the insured’s network, so it would not extend to a breach in the end consumer’s network.”
Prevention is key, especially as cyber risks grow. A 2018 report by Juniper Research estimated that in 2023, more than 33 billion records will be stolen by cybercriminals—an increase of 175 percent from 2018. Cyber & Privacy Liability Insurance can also help businesses with prevention efforts, including setting up multi-factor authentication.
“The things that we hear about, unfortunately, are only the large breaches, since those are the ones affecting millions of people, but things happen every day on all scales,” Rangel added. “Companies should look at their security procedures as a whole and a Cyber and Privacy Insurance policy can assist with that process.”
Unexpected vulnerabilities present big exposures
As cybercrimes increase, consumers are left scrambling to protect themselves against an ever-evolving digital threat. In 2017, consumer loss through cybercrime totaled $19.4 billion in the U.S. and $1.5 billion in Canada, according to Statista. From Ring doorbells and Echo Dots to children’s GPS watches and even smart refrigerators, many everyday devices can put users’ information at risk.
Many organizations are so big that they feel no one is going to be able to compromise them, or they are so small they think that no one cares about them. Well, hackers do not discriminate.
“These particular devices are interpreting, analyzing and collecting data about us,” Lefchik said. “It may be as minimal as what links we are clicking on, what songs we like. The bottom line is (your online activity) exposes you.”
Unexpected vulnerabilities can pose a significant risk. When Target experienced a massive data breach in 2014, which ultimately resulted in an $18.5 million settlement after 41 million users’ credit card data was exposed, the surprising cause was a hack into the company’s HVAC system.
“Many organizations are so big that they feel no one is going to be able to compromise them, or they are so small they think that no one cares about them,” Lefchik explained. “Well, hackers do not discriminate.”
Data breach costs can add up quickly, easily reaching tens or hundreds of thousands of dollars in losses, depending on how many users must be notified, Rangel said. Further, if a company’s board chooses against a cyber policy and a breach occurs, Directors & Officers Liability Insurance (D&O) could come into play, as the board could be sued for mismanagement.
“We have seen more D&O claims as a result of cyberattacks,” Rangel noted. “As a business, you have to think of all the exposures.”
Protecting sensitive data
Home surveillance camera hacks may not be as complicated as consumers would assume. One recent study, which tested six popular wireless cameras, found that each one could be hacked remotely with “little to no difficulty.” When a cybersecurity breach occurs, detection does not always take place immediately, either. In fact, a hacker could spend months spying on a family or organization and gathering information to use in a future attack.
“It could go on for a very long time,” Rangel explained. “What we see, at least on the commercial side, is sometimes these hackers are in a company’s network for months just doing research and getting used to the user’s habits. The same thing can happen at home.”
Even if a company safeguards its own products, security issues related to third-party components used with its products can occur. Just this month, Google disabled access to streaming video via its Google Nest Hubs from cameras manufactured by Chinese technology company Xiaomi, following reports that the cameras were broadcasting video feeds from random strangers’ homes. The incidents were related to a cache update that occurred on December 26, according to Xiaomi; the company issued a statement apologizing for the breach and said it had fixed the issue.
In today’s interconnected world, cyber awareness is critical. Experts urge business owners and individuals stay up to date on the latest tech products and incidents, develop an understanding of their cyber risk based on which devices they use personally and professionally, and consult with experts when needed.
“It is important to build appropriate cyber hygiene to promote a better organization lifestyle or an individual privacy lifestyle,” Lefchik said. “There are so many challenges and unknowns, you cannot take it on by yourself.”
In addition to educating themselves on best practices, parents should talk with their children about how to use doorbell cameras and to immediately report any suspicious noises or voices they hear from them.
“They need to let their kids know that nobody should be talking to them through these cameras,” Rangel said.
Recommended security measures include multi-factor authentication, using a VPN (Virtual Private Network) to encrypt your internet connection, utilizing identity monitoring platforms, and creating strong passwords that are changed frequently. Signing up for promotions from retailers or restaurants can also put someone at risk, as many registration forms require a date of birth and mailing address, and even email addresses often incorporate an individual’s full name.
“Unfortunately, a lot of people have passwords that include where they graduated, where they like to go on vacation, or milestones you can think of in your lifestyle. Hackers can actually grab a lot of that data off of your social media,” Lefchik added, and the same goes for using your name in an email address.”