When cybersecurity expert James Glenn discovered vulnerabilities in Cisco video security software that exposed airports and government agencies at all levels to hackers, he thought reporting the flaw would be a major career booster.
Instead, the Danish company and Cisco partner that employed Mr. Glenn fired him and continued to sell the video surveillance technology, flaws and all, for an additional five years.
Cisco’s retaliatory actions and its willingness to put federal, state, and local government agencies and airports at risk by not fixing the problem prompted Mr. Glenn to take action. He filed a False Claims Act lawsuit on behalf of the United States, 15 states, and the District of Columbia.
According to Mr. Glenn’s 2011 whistleblower lawsuit, he accuses Cisco of “selling and causing others to sell to federal agencies as well as to state and local government entities a video surveillance system that Defendant knew to possess dangerous, undisclosed, and impermissible security weaknesses.”
The vulnerabilities in Cisco’s Video Surveillance Manager could allow an attacker to gain full administrative privileges on the system. Cisco eventually acknowledged the flaws and developed a patch in 2013 – five years after Mr. Glenn first discovered them and alerted the company.
Although Cisco says it is not aware of any security breaches affecting the VSM systems it sold, the potential threats afforded by the product’s flaws were considerable. An intruder could have taken control of or bypassed door locks, alarms, and other physical security systems connected to camera systems.
With control of the system, unauthorized users could have effectively shut down major airports, including Los Angeles International and Chicago Midway, which used the affected systems.
On July 31, the U.S. Department of Justice (DOJ) announced that it had finally reached a settlement in Mr. Glenn’s whistleblower case. Cisco agreed to pay $8.6 million, with $2.6 million of the settlement going to the U.S. government and the rest, about $6 million, to the states, cities, and other entities that joined the lawsuit.
One cybersecurity expert told ABC News that the case is a groundbreaking one because it demonstrates that security vulnerabilities are clearly product defects.
“This allows for a new type of bug bounty for security researchers if vendors drag their feet, continue selling their products to governments without notifying of the risk they know about and not fixing their flaws,” Chris Wysopal of Veracode told ABC News.
Mr. Glenn received a whistleblower award of more than $1.7 million of the total settlement for his role in the recovery. He told ABC News that he feels “vindicated, but not in the celebratory sense.”
“I think in terms of the punishment level for the other party maybe it’s not that significant,” he added.
Whistleblowers are the key to exposing corporate wrongdoing and government fraud. A person who has first-hand knowledge of fraud or other wrongdoing may have a whistleblower case. Before you report suspected fraud or other wrongdoing – before you “blow the whistle” – it is important to make sure you have a valid claim and that you are prepared for what lies ahead.
Beasley Allen has an experienced group of lawyers dedicated to handling whistleblower cases. The lawyers on our firm’s Whistleblower Litigation Team are Archie Grubb, Larry Golston, Lance Gould and Paul Evans. These lawyers will be glad to discuss any potential whistleblower claim either in person or by phone.