Whistleblower wins $9m over surveillance software Cisco knew was bug-ridden

Cisco has agreed to an $8.6 million settlement over claims it sold vulnerable software to US government agencies

A cyber security whistleblower has won nearly $9m after discovering that Cisco was selling surveillance software it allegedly knew was bug-ridden.

Cisco has agreed to an $8.6m settlement after James Glenn, who worked for a Cisco distribution partner in Denmark, found that the company was knowingly selling vulnerable video surveillance to federal, state and local government agencies.

Glenn claimed that Cisco's Video Surveillance Manager, a centralised video surveillance system, was full of bugs that left government systems exposed to potential unauthorised access and manipulation of vital information.

There's a culture that tends to prioritise profit and reputation over doing what's right

Glenn added that Cisco had been selling software with "critical security vulnerabilities" to US government bodies, such as the Department of Department of Homeland Security, the Secret Service, the Army, the Navy, the Air Force, the Marine Corps and the Federal Emergency Management Agency since 2008.

In several detailed reports issued to Cisco, he explained that the software enabled anyone with a "moderate grasp of network security" to exploit the software to gain access to data, bypass security systems and gain administrative access to government agency networks.

Despite being made aware of these flaws by Glenn, Cisco continued to sell the software to high-profile government targets, unpatched.

Because of this, the whistleblower filed a lawsuit under the False Claims Act. This law enables individuals to blow the whistle on fraud and misconduct in federal government contracts and programmes, with the incentive of financial rewards in return if their claims are proved.

Glenn said: "The tech industry needs to fulfill its professional responsibility to protect the public from their products and services.

"There's a culture that tends to prioritise profit and reputation over doing what's right. I hope coming forward with my experience causes others in the tech community to think about their ethical mandate."

Citizens depend on the tech industry to keep our data secure, and every data breach we read about shakes our confidence

He had been represented by law firm Constantine Cannon LLP and its whistleblower attorneys Anne Hayes Hartman, Michael Ronickher, and Hamsa Mahendranathan, and co-counsel Claire Sylvia at Phillips & Cohen LLP in the case.

Ronickher, a partner at Constantine Cannon, said: "Citizens depend on the tech industry to keep our data secure, and every data breach we read about shakes our confidence.

"This case is a critical step forward in enforcement of cybersecurity requirements - the first time the government has used a whistleblower's information to hold a major provider accountable."

Hamsa Mahendranathan, an attorney in Constantine Cannon's New York office, added "This video surveillance software is used by airports, police departments, and schools.

"It is supposed to make us safer, making the vulnerabilities at issue all the more troubling. As we put more trust in tech companies to keep us safe, we need to encourage industry whistleblowers to come forward more than ever."