Cisco Settles Security Breach It Kept Quiet for Years


When a Cisco reseller in Denmark first heard in 2008 that a worker had discovered serious flaws in its airport security software for sale, it fired him – and then kept quiet about it.

Eleven years later, Cisco Systems settled a whistleblower lawsuit over the surveillance software that had allowed unauthorized access to video feeds. The price: $8.6 million, split among the former worker, the federal government and 16 states.

Cisco only publicized the breach after the whistleblower’s sister notified the FBI – three years later.

The flawed program was developed by Broadware, a company acquired by Cisco in 2007. The software’s open architecture enabled hackers to bypass controls typically connected to a video system and intended to keep out hackers.

The lawsuit’s plaintiffs, who included whistleblower James Glenn, said the product contained additional security flaws that could allow a cyber-intruder to access user passwords and systems data or even gain permanent administrator access to control the software remotely.

Cisco Rationalizes Its Behavior

Cisco justified its responses by explaining the problems were discussed in a company best-practices guide in 2009, and again in 2013, when it recommended that users update their software with new security features, and finally in 2014 when it discontinued the software.

“Evaluating these facts today, we’ve now agreed to make a payment that includes, what is in effect, a partial refund to the federal government and 16 states for products purchased between Cisco’s fiscal years 2008 and 2013,” saysOpens a new window Mark Chandler, the chief legal officer for Cisco. “While this is a legacy issue which no longer exists, it matters to us to recognize that times and expectations have changed.”

The claim that Cisco did enough – and in a timely enough fashion – is dubious at best. In the suit against Cisco, the plaintiffs pointed out that a breach could have exposed the airports that had invested in the Cisco equipment and disarmed the security controls.

“You could penetrate the entire system,” saysOpens a new window Michael Ronickher, an attorney representing Glenn. “And you could do that without any trace. And have complete backdoor access to the system whenever you wanted.”

Riding the Coattails of a Name

Part of the problem is that rather than selling its products on the basis of quality, Cisco’sOpens a new window strategy for security surveillance systems was to ride on the coattails of its successful products, convincing consumers of its routing and switching infrastructure and network security that there was an advantage of staying with the same provider.

“Cisco entered the video surveillance market in 2007 and suffered for many years through a variety of its own errors and arrogance,” says John Honovich of the video security firm IPVMOpens a new window . “The conclusion of that embarrassing error may have just now been reached.”

The initially lax approach seems even more egregious considering the client list: the Department of Homeland Security, Secret Service and the Pentagon, which treat security as a top priority.

Glenn, a security analyst, received $1.6 million for his share of the damages, assessed under the False Claims Act for people who blow the whistle about government fraud and contractor misdeeds.

He urged a note of caution for anyone who assumes that a corporation values its security just because it has a recognizable name.

“There’s this culture that tends to prioritize profit and reputation over doing what’s right,” he said. “I hope coming forward with my experience causes others in the tech community to think about their ethical mandate.”