Rogue ADT tech spied on hundreds of customers in their homes via CCTV – including me, says teen girl

Lawsuits filed after alarm biz admits worker snooped on victims

A technician at ADT remotely accessed hundreds of customers' CCTV cameras to spy on people in their own homes, the burglar-alarm biz has admitted.

At least one of the victims was a teenage girl, and another a young mother, according to court filings.

Last month, an ADT customer in Dallas, Texas, spotted and reported an unexpected email address listed as an admin user on their home security system. An internal investigation by ADT revealed it was the personal email of one of its employees, and he had seemingly used it to view the home's camera system nearly a hundred times.

A probe found the same technician had made himself an admin on 220 customers' accounts, meaning he could lock and unlock doors remotely, as well as access the live feed of cameras connected to the ADT network. His access is said to have stretched back seven years.

When ADT dug into the logs, it became clear their rogue insider had been regularly spying on customers, including, it is claimed, accessing the video feed from the bedroom of one teenage girl dozens of times. That teenager this week sued ADT for negligence and emotional distress, seeking a class-action lawsuit against the US corp, and naming the technician in question: it is alleged Telesforo Aviles was responsible.

ADT reassured them both that the security system was perfectly safe

The allegations are the stuff of nightmares: the lawsuit [PDF] details how the teenage daughter and her mother were initially uncomfortable about the idea of installing security cameras inside their house, though ADT “reassured them both that the security system was perfectly safe,” according to court filings, and a technician later fitted the kit.

But then, on April 24, “ADT called to explain that one of its technicians had gained access" to her mother's account "and had been watching" the mother and daughter "on approximately 73 different occasions,” according to court filings.

Her lawsuit then alleges, "based upon the cameras’ wide-angle lens and placement, the ADT employee had an opportunity to watch at least" the teenager "nude, in various states of undress, getting ready for bed, and moments of physical intimacy."

Fool me once

An almost identical [PDF] lawsuit has been filed by a second person – a young mother – whose security system installation “included an indoor security camera with a wide-angle view that provided a visual of a bathroom, entryway, family room and dining space, stairs, and into the master bedroom.”

To its credit, when ADT heard about the unauthorized access, it did the right thing: it fired the worker, reported him to the cops, and then contacted all those affected explaining the situation.

According to ADT, its unnamed technician abused a service mode function while physically present in customers’ homes in the Dallas area to add his personal email address – a feature that is “neither necessary nor permitted,” and which the company will remove in an upcoming software update. ADT technicians do not have remote access to that function, but once the technician included himself on the system while physically present, he could access the surveillance gear remotely.

Understandably, however, customers are furious it happened in the first place and went unnoticed for seven years. “This type of access could only occur because ADT failed to implement adequate procedures that would prevent non-household members from adding non-household email addresses,” reads the teenager's lawsuit.

“Similarly, ADT failed to monitor consumers’ accounts and promptly alert them anytime a new email was added to their accounts. Countless checks could have been in place to prevent or at least stop this conduct. Instead, this breach came to light only by luck and happenstance.”

CCTV camera trained on a garden. Photo by Shutterstock

Scottish court issues damages to couple over distress caused by neighbour's use of CCTV


Her lawsuit also noted that there is every reason to believe that other ADT technicians have similarly abused the system: ADT says it is carrying out a detailed investigation and audit to make sure there are no other instances.

“Our customers trust ADT with their safety and protection. We understand that this incident jeopardizes that trust and is entirely unacceptable,” the company acknowledged in an statement.

“We will make extraordinary efforts to earn back that trust. Our investigation is ongoing; we will continue to review all our customer accounts until we can be sure no one else’s privacy is at risk. In addition, we’ve already implemented technical and procedural solutions to help keep this abuse of access from ever happening again.”

The manufacturer has also said it will “review all of our processes, technical systems and hiring practices to strengthen our account security and customer privacy even more, and we’ve engaged third-party experts to assist in that review.”

In a message to The Register today, ADT said: "We deeply regret what happened to the 220 customers affected by this incident and have contacted them to help resolve their concerns. We are supporting law enforcement’s investigation of the former employee and are committed to helping bring justice to those impacted by his improper actions." ®

Similar topics

Other stories you might like

  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading
  • Supreme Court urged to halt 'unconstitutional' Texas content-no-moderation law
    Everyone's entitled to a viewpoint but what's your viewpoint on what exactly is and isn't a viewpoint?

    A coalition of advocacy groups on Tuesday asked the US Supreme Court to block Texas' social media law HB 20 after the US Fifth Circuit Court of Appeals last week lifted a preliminary injunction that had kept it from taking effect.

    The Lone Star State law, which forbids large social media platforms from moderating content that's "lawful-but-awful," as advocacy group the Center for Democracy and Technology puts it, was approved last September by Governor Greg Abbott (R). It was immediately challenged in court and the judge hearing the case imposed a preliminary injunction, preventing the legislation from being enforced, on the basis that the trade groups opposing it – NetChoice and CCIA – were likely to prevail.

    But that injunction was lifted on appeal. That case continues to be litigated, but thanks to the Fifth Circuit, HB 20 can be enforced even as its constitutionality remains in dispute, hence the coalition's application [PDF] this month to the Supreme Court.

    Continue reading
  • How these crooks backdoor online shops and siphon victims' credit card info
    FBI and co blow lid off latest PHP tampering scam

    The FBI and its friends have warned businesses of crooks scraping people's credit-card details from tampered payment pages on compromised websites.

    It's an age-old problem: someone breaks into your online store and alters the code so that as your customers enter their info, copies of their data is siphoned to fraudsters to exploit. The Feds this week have detailed one such effort that reared its head lately.

    As early as September 2020, we're told, miscreants compromised at least one American company's vulnerable website from three IP addresses: 80[.]249.207.19, 80[.]82.64.211 and 80[.]249.206.197. The intruders modified the web script TempOrders.php in an attempt to inject malicious code into the checkout.php page.

    Continue reading

Biting the hand that feeds IT © 1998–2022