Attorney General James Secures $450,000 from Companies Selling Home Security Cameras that Failed to Secure Private Videos

 

eufy Cameras’ Poor Data Security Left Private Home Security Footage Accessible to Outsiders  

New York Attorney General Letitia James secured $450,000 from three companies that distribute eufy home security video cameras for failing to secure consumers’ private home security videos. The companies, Fantasia Trading LLC, Power Mobile Life LLC, and Smart Innovation, LLC distribute a line of video cameras, video doorbells, and video smart locks under the eufy brand. An investigation by the Office of the Attorney General (OAG) found that video streams from the cameras were not always securely encrypted and could be accessible to anyone with the relevant link without authentication. The settlement requires these companies to take steps to ensure stronger protections for customers’ data and pay $450,000 in penalties and costs.

“New Yorkers buy home security cameras to protect themselves and their homes,” said Attorney General James. “The eufy cameras’ poor data security allowed anyone to access people’s security camera footage, defeating the purpose of having a home security system. Today my office is taking steps to ensure eufy cameras’ developers improve their data security so that New Yorkers home security footage is private and protected.”

In November 2022, a security researcher publicly disclosed tests indicating that marketing claims about the eufy products’ security and “end-to-end encryption” of data might not be accurate. The OAG opened an investigation focused on a line of eufy-branded internet-enabled video cameras, video doorbells, and video locks distributed by Fantasia Trading, Power Mobile Life, and Smart Innovation. The marketing for these home security products assured consumers that their data would be kept private and secure.

The OAG’s investigation revealed that, in certain situations, video sent over the internet from eufy home security products was not protected by end-to-end encryption, and that at least a portion of the connection did not use any type of encryption at all. The investigation also uncovered that an active video stream could be accessed by anyone with the relevant URL, without authentication, and that it may have been possible to deduce the URL without obtaining it from a user. The companies had not previously identified these security vulnerabilities because they did not have the necessary processes in place to test their safeguards or to identify risks to the security and privacy of consumers’ video.

As a result of this settlement, Fantasia Trading, Power Mobile Life LLC, and Smart Innovation will pay $450,000 in penalties and costs and take steps to ensure the eufy home security products they sell better protect consumers’ private videos. The agreement requires that the companies regularly substantiate that the developer of the eufy home security products:

• Maintains a comprehensive information security program designed to protect the security, confidentiality, and integrity of consumer information;
• Uses secure software development processes, including the use of third-party tools for testing software for security vulnerabilities;
• Maintains a vulnerability management program that includes regular penetration testing and vulnerability testing; and
• Implements appropriate encryption processes, including the encryption of video in storage and in transit.

This announcement continues Attorney General James’ efforts to protect New Yorkers’ personal information and hold companies accountable for their poor data security practices. Last month, Attorney General James secured $500,000 from an auto insurance company for failing to protect New Yorkers’ data.  In November 2024, Attorney General James and DFS Superintendent Adrienne Harris secured $11.3 million from GEICO and Travelers for having poor data security. In October 2024, Attorney General James secured $2.25 million from a Capital Region health care provider for failing to protect the private information and medical data of New Yorkers. In August 2024, Attorney General James and a multistate coalition secured $4.5 from a biotech company for failing to protect patient data. In July, Attorney General James launched two privacy guides, a Business Guide to Website Privacy Controls and a Consumer Guide to Tracking on the Web, to help businesses and consumers protect themselves. In April 2023, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In January 2022, Attorney General James released a business guide for credential stuffing attacks that detailed how businesses could protect themselves and consumers.