A technician at ADT remotely accessed hundreds of customers' CCTV cameras to spy on people in their own homes, the burglar-alarm biz has admitted.
At least one of the victims was a teenage girl, and another a young mother, according to court filings.
Last month, an ADT customer in Dallas, Texas, spotted and reported an unexpected email address listed as an admin user on their home security system. An internal investigation by ADT revealed it was the personal email of one of its employees, and he had seemingly used it to view the home's camera system nearly a hundred times.
A probe found the same technician had made himself an admin on 220 customers' accounts, meaning he could lock and unlock doors remotely, as well as access the live feed of cameras connected to the ADT network. His access is said to have stretched back seven years.
When ADT dug into the logs, it became clear their rogue insider had been regularly spying on customers, including, it is claimed, accessing the video feed from the bedroom of one teenage girl dozens of times. That teenager this week sued ADT for negligence and emotional distress, seeking a class-action lawsuit against the US corp, and naming the technician in question: it is alleged Telesforo Aviles was responsible.
ADT reassured them both that the security system was perfectly safe
The allegations are the stuff of nightmares: the lawsuit [PDF] details how the teenage daughter and her mother were initially uncomfortable about the idea of installing security cameras inside their house, though ADT “reassured them both that the security system was perfectly safe,” according to court filings, and a technician later fitted the kit.
But then, on April 24, “ADT called to explain that one of its technicians had gained access" to her mother's account "and had been watching" the mother and daughter "on approximately 73 different occasions,” according to court filings.
Her lawsuit then alleges, "based upon the cameras’ wide-angle lens and placement, the ADT employee had an opportunity to watch at least" the teenager "nude, in various states of undress, getting ready for bed, and moments of physical intimacy."
Fool me once
An almost identical [PDF] lawsuit has been filed by a second person – a young mother – whose security system installation “included an indoor security camera with a wide-angle view that provided a visual of a bathroom, entryway, family room and dining space, stairs, and into the master bedroom.”
To its credit, when ADT heard about the unauthorized access, it did the right thing: it fired the worker, reported him to the cops, and then contacted all those affected explaining the situation.
According to ADT, its unnamed technician abused a service mode function while physically present in customers’ homes in the Dallas area to add his personal email address – a feature that is “neither necessary nor permitted,” and which the company will remove in an upcoming software update. ADT technicians do not have remote access to that function, but once the technician included himself on the system while physically present, he could access the surveillance gear remotely.
Understandably, however, customers are furious it happened in the first place and went unnoticed for seven years. “This type of access could only occur because ADT failed to implement adequate procedures that would prevent non-household members from adding non-household email addresses,” reads the teenager's lawsuit.
“Similarly, ADT failed to monitor consumers’ accounts and promptly alert them anytime a new email was added to their accounts. Countless checks could have been in place to prevent or at least stop this conduct. Instead, this breach came to light only by luck and happenstance.”
Scottish court issues damages to couple over distress caused by neighbour's use of CCTVREAD MORE
Her lawsuit also noted that there is every reason to believe that other ADT technicians have similarly abused the system: ADT says it is carrying out a detailed investigation and audit to make sure there are no other instances.
“Our customers trust ADT with their safety and protection. We understand that this incident jeopardizes that trust and is entirely unacceptable,” the company acknowledged in an statement.
“We will make extraordinary efforts to earn back that trust. Our investigation is ongoing; we will continue to review all our customer accounts until we can be sure no one else’s privacy is at risk. In addition, we’ve already implemented technical and procedural solutions to help keep this abuse of access from ever happening again.”
The manufacturer has also said it will “review all of our processes, technical systems and hiring practices to strengthen our account security and customer privacy even more, and we’ve engaged third-party experts to assist in that review.”
In a message to The Register today, ADT said: "We deeply regret what happened to the 220 customers affected by this incident and have contacted them to help resolve their concerns. We are supporting law enforcement’s investigation of the former employee and are committed to helping bring justice to those impacted by his improper actions." ®