(WNY News Now) Attorney General Letitia James of New York secured a settlement that holds Eufy camera distributors responsible for inadequate data protection procedures that exposed private home security footage.
NEW YORK For failing to protect customers’ private home security footage, New York Attorney General Letitia James obtained $450,000 from three companies that sell Eufy home security cameras. Under the eufy brand, a range of video cameras, video doorbells, and video smart locks are distributed by Fantasia Trading LLC, Power Mobile Life LLC, and Smart Innovation, LLC. Video streams from the cameras were not always properly encrypted, according to an Office of the Attorney General (OAG) inquiry, and anyone with the appropriate link could view them without authentication. In addition to paying $450,000 in fines and expenses, the settlement mandates that these businesses take action to guarantee better safeguards for consumer data.
According to Attorney General James, New Yorkers purchase home security cameras to safeguard their residences and themselves. The goal of having a home security system was defeated when the Eufy cameras’ inadequate data security made it possible for anybody to view people’s security camera footage. In order to guarantee that the home security footage of New Yorkers is secure and confidential, my office is taking action today to ensure that Eufy Camera developers enhance their data security.
According to tests made public by a security researcher in November 2022, marketing claims about the security and end-to-end encryption of Eufy products may not be true. A range of eufy-branded internet-enabled video cameras, doorbells, and locks sold by Fantasia Trading, Power Mobile Life, and Smart Innovation were the subject of an investigation launched by the OAG. Customers were reassured by the marketing for these home security devices that their information would be secure and kept secret.
The OAG’s inquiry found that at least some of the connection did not use any encryption at all, and that in other cases, video sent over the internet from Eufy home security equipment was not protected by end-to-end encryption. Additionally, the study revealed that anyone with the correct URL could view an active video stream without authentication and that it might have been easy to infer the URL without getting it from a user. Because they lacked the procedures required to evaluate their security measures or detect threats to the security and privacy of customer video, the organizations had not previously discovered these security flaws.
Fantasia Trading, Power Mobile Life LLC, and Smart Innovation will pay $450,000 in fines and expenses as part of this settlement, and they will also take action to make sure its eufy home security systems better safeguard customers’ private footage. According to the agreement, the businesses must consistently confirm that the creator of Eufy home security products:
- Maintains a comprehensive information security program designed to protect the security, confidentiality, and integrity of consumer information;
- Uses secure software development processes, including the use of third-party tools for testing software for security vulnerabilities;
- Maintains a vulnerability management program that includes regular penetration testing and vulnerability testing; and
- Implements appropriate encryption processes, including the encryption of video in storage and in transit.
The declaration made today is part of Attorney General James’ ongoing efforts to safeguard the private information of New Yorkers and hold businesses responsible for their inadequate data security procedures. Attorney General James obtained $500,000 from a car insurance provider last month for neglecting to safeguard the data of New Yorkers. Attorney General James and DFS Superintendent Adrienne Harris obtained $11.3 million from Travelers and GEICO in November 2024 for their inadequate data protection. Attorney General James obtained $2.25 million from a healthcare provider in the Capital Region in October 2024 for neglecting to safeguard the medical records and personal information of New Yorkers. A multistate coalition led by Attorney General James obtained $4.5 from a biotech corporation in August 2024 for failing to protect patient data. Attorney General James released two privacy guides in July to assist consumers and businesses in protecting themselves: a Consumer Guide to Tracking on the Web and a Business Guide to Website Privacy Controls. Attorney General James published a thorough data security guide in April 2023 to assist businesses in enhancing their data security procedures. Attorney General James published a business guide on credential stuffing assaults in January 2022, outlining steps for companies to take to safeguard both customers and themselves.
Under the direction of Bureau Chief Kim Berger, the Bureau of Internet and Technology’s Deputy Bureau Chief Clark Russell, Senior Enforcement Counsel Jordan Adler, and Assistant Attorney General Nathaniel Kosslyn handled this case. First Deputy Attorney General Jennifer Levy is in charge of the Division for Economic Justice, which includes the Bureau of Internet and Technology. Chief Deputy Attorney General Chris D. Angelo leads this division.