A technician at ADT remotely accessed hundreds of customers’ CCTV cameras to spy on people in their own homes, the burglar-alarm biz has admitted.
At least one of the victims was a teenage girl, and another a young mother, according to court filings.
Last month, an ADT customer in Dallas, Texas, spotted and reported an unexpected email address listed as an admin user on their home security system. An internal investigation by ADT revealed it was the personal email of one of its employees, and he had seemingly used it to view the home’s camera system nearly a hundred times.
A probe found the same technician had made himself an admin on 220 customers’ accounts, meaning he could lock and unlock doors remotely, as well as access the live feed of cameras connected to the ADT network. His access is said to have stretched back seven years.
When ADT dug into the logs, it became clear their rogue insider had been regularly spying on customers, including, it is claimed, accessing the video feed from the bedroom of one teenage girl dozens of times. That teenager this week sued ADT for negligence and emotional distress, seeking a class-action lawsuit against the US corp, and naming the technician in question: it is alleged Telesforo Aviles was responsible.
ADT reassured them both that the security system was perfectly safe
The allegations are the stuff of nightmares: the lawsuit [PDF] details how the teenage daughter and her mother were initially uncomfortable about the idea of installing security cameras inside their house, though ADT “reassured them both that the security system was perfectly safe,” according to court filings, and a technician later fitted the kit.
But then, on April 24, “ADT called to explain that one of its technicians had gained access” to her mother’s account “and had been watching” the mother and daughter “on approximately 73 different occasions,” according to court filings.
Her lawsuit then alleges, “based upon the cameras’ wide-angle lens and placement, the ADT employee had an opportunity to watch at least” the teenager “nude, in various states of undress, getting ready for bed, and moments of physical intimacy.”
Fool me once
An almost identical [PDF] lawsuit has been filed by a second person – a young mother – whose security system installation “included an indoor security camera with a wide-angle view that provided a visual of a bathroom, entryway, family room and dining space, stairs, and into the master bedroom.”
To its credit, when ADT heard about the unauthorized access, it did the right thing: it fired the worker, reported him to the cops, and then contacted all those affected explaining the situation.
According to ADT, its unnamed technician abused a service mode function while physically present in customers’ homes in the Dallas area to add his personal email address – a feature that is “neither necessary nor permitted,” and which the company will remove in an upcoming software update. ADT technicians do not have remote access to that function, but once the technician included himself on the system while physically present, he could access the surveillance gear remotely.
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft