Amazon's Ring line of consumer home surveillance products has drawn quite a bit of attention in recent weeks for how easily bad actors outside the company have been able to access users' accounts. But for Ring, as with many other firms, some of the greatest security risks may come from inside the company.

In response to congressional questioning, Amazon this week admitted to four incidents in the past four years where employees accessed video data they were not supposed to. "Each of these individuals involved in these incidents was authorized to view video data," Amazon said in a letter (PDF), but in all cases, "the attempted access to that data exceeded what was necessary for their job functions."

Ring fired all those employees following "swift action to investigate" and told Congress that following each incident, the company "has taken multiple actions to limit such data access to a smaller number of team members." Additionally, the company said, it "periodically reviews" employees' access to data "to verify they have a continuing need for access" in order to do their jobs.

The employees who can access user videos are not all US-based, the company said. It declined to enumerate how many employees, in which countries, can access that data, saying instead that its research and development teams "in Ukraine and elsewhere can only access publicly available videos and videos available from employees, contractors, and friends and family of employees or contractors with their express consent."

Advertisement

That said, "publicly available" Ring video may include more information than the customers who generated it intend. Previous reports found footage online from tens of thousands of Ring cameras nationwide sharing extremely granular coordinates that allowed reporters and researchers to generate maps of their locations.

Amazon's admission comes on the heels of a spate of Ring hacks that drew nationwide attention. In those cases, intruders were using shared credentials, obtained from other hacks and breaches, to log in to poorly secured Ring accounts and harass the families using the devices. In response to the wave of attacks, Ring this week said it will soon be unveiling a new "dashboard" that makes it easier for account owners to manage their connected devices and enabling two-factor authentication by default for new accounts.

The high-profile access incidents were not Ring's only recent security fumble. In November, the company issued a patch for a vulnerability that exposed users' Wi-Fi credentials during device setup.

Amazon was first called on to provide answers to Congress about Ring late last fall, following news that the company had developed close partnerships with more than 400 law enforcement agencies nationwide. (As of today, the list includes 770 agencies.) The company sent responses to the first set of questions in November, but a group of senators including Ed Markey ( D-Mass.), Ron Wyden (D-Ore.), Chris Van Hollen (D-Md.), Chris Coons (D-Del.), and Gary Peters (D-Mich.) sent a pointed followup query (PDF). The company's January 6 letter came in response to that followup query.