TRENTON – Attorney General Gurbir S. Grewal announced today that New Jersey is among the states participating in a $6 million settlement with Cisco Systems, Inc., that resolves allegations the company sold public entities a security video monitoring system that was vulnerable to hacking. The defects in the Video Surveillance Manager (VSM) suite of products at issue in the investigation also have been resolved.
According to the participating states, whose investigation was prompted by a “whistleblower” lawsuit filed in 2011, the video monitoring system was built to facilitate remote camera monitoring of multiple entrances to buildings, bridges, tunnels, schoolyards, parking garages and other facilities, but the system’s flaws made it vulnerable to hacking. This vulnerability made VSM accessible to unauthorized users, who could potentially hack not only into an individual VSM system, but into a broader network on which the VSM system was deployed.
Affected entities in New Jersey included school districts, universities and others.
Based on the whistleblower suit and a multi-state investigation, the states concluded that Cisco became aware of VSM’s security vulnerabilities in 2008 or earlier, but failed to remedy the problem until 2013.
There is no evidence a single VSM system was ever actually hacked.
“We take cybersecurity seriously here in New Jersey,” said Attorney General Grewal. “Enforcement actions like the one we are announcing today put companies on notice that if they want to sell their products to New Jersey, they must satisfy the highest standards for cybersecurity.”
California-based Cisco Systems manufactures and sells a variety of products and services, including computer networking and communications technology.
The VSM system was made up of three pieces of software: the Cisco Video Surveillance Media Server, the Cisco Surveillance Operations Manager, and the Cisco Video Surveillance Virtual Matrix.
The VSM system included a software product that allowed users to, among other things, monitor and control a large number of video surveillance cameras simultaneously and remotely.
The participating states contend that Cisco became aware more than a decade ago of certain security vulnerabilities that would potentially allow intruders access to the VSM software, and that the states were harmed by the submission of false claims for payment to Cisco or its authorized resellers between that time and July 2013, when Cisco published a Security Advisory that addressed the security flaw.
New Jersey’s share of the settlement announced today is approximately $143,000.
The federal government has entered into a separate settlement agreement with Cisco over the VSM system, as various federal agencies purchased the product.
Deputy Attorney General Evan A. Showell, Assistant Section Chief of the Division of Law’s Securities Fraud Prosecution Section (and formerly of the Government & Healthcare Fraud Section, where he was assigned the Cisco matter), and Assistant Attorney General Janine N. Matton, former Section Chief of the Government & Healthcare Fraud Section, handled the Cisco matter on behalf of the State.