Cisco to pay $8.6 million to settle cybersecurity whistleblower case

More than $1 million will go to the whistleblower for alerting the US government to a security flaw.

Carrie Mihalcik Former Managing Editor / News
Carrie was a managing editor at CNET focused on breaking and trending news. She'd been reporting and editing for more than a decade, including at the National Journal and Current TV.
Expertise Breaking News | Technology Credentials
  • Carrie has lived on both coasts and can definitively say that Chesapeake Bay blue crabs are the best.
Carrie Mihalcik
2 min read
Rolling practices against lack of doctors in rural areas

The case involved a flaw in Cisco's video surveillance software.

Christoph Soeder/picture alliance via Getty Images

Cisco Systems has agreed to pay $8.6 million to settle a case brought forward by a former contractor who accused the company of selling video surveillance software with a known vulnerability to the US government. While much of the payment will act as a refund for 16 states and the federal government, approximately $1.6 million will go to the whistleblower who brought the issue to the government's attention. 

In the lawsuit, which was filed in 2011 and unsealed on Wednesday, a Danish subcontractor said he found a flaw in Cisco's Video Surveillance Manager, a software package used for controlling surveillance cameras and storing recorded video feeds, according to CNET sister site ZDNet. The flaw reportedly could have allowed a hacker to gain access to data stored in VSM systems, turn off cameras and gain access to a clients' networks. 

The subcontractor reportedly said he notified Cisco of the issue in October 2008, but the company allegedly failed to fix the bug and continued to sell the software, including to government agencies. 

"We are pleased to have resolved a 2011 dispute involving the architecture of a video security technology product we added to our portfolio through the Broadware acquisition in 2007," said a Cisco spokesperson in an emailed statement Thursday. "There was no allegation or evidence that any unauthorized access to customers' video occurred as a result of the architecture."

Cisco said that it advised customers to upgrade to a new version of the software, which fixed the security issues, in 2013. All sales of the older version of the software ended by September 2014, the company said.

Watch this: Capital One's data breach and how criminals could use the stolen data

16 smart doorbells to watch over your front stoop

See all photos