Cisco Systems Inc. has agreed to pay a $8.6 million fine to end a lawsuit accusing it of selling insecure software to the U.S. government.

The settlement, which became public as part of a legal complaint unsealed Wednesday, concludes an eight-year court saga. Filed in 2011 by the Department of Justice, the suit centered on Cisco’s Video Surveillance Manager software. The product, which was purchased by numerous government agencies to help manage security cameras at their facilities, turned out to have major security vulnerabilities. 

The exploits were uncovered in 2008 by a Cisco subcontractor based in Denmark. The engineer discovered that it was possible to bypass the software’s security controls, gain full administrative privileges to a camera network and delete footage. Cisco was informed of the issue in September of that year, the suit charged, but continued selling the vulnerable software until July 2013.

Most of the $8.6 million the company has agreed to pay will be provided in the form of refunds to the U.S. federal government and state buyers. Approximately $1.6 million will go to the former subcontractor who brought authorities’ attention to the flaws. 

In a blog post addressing the news, Cisco General Counsel Mark Chandler stressed that there’s no indication hackers ever exploited the vulnerabilities. That’s probably a big part of why the company had to pay only $8.6 million to settle the suit. Vulnerable versions of Video Surveillance Manager were bought by the Secret Service, the Department of Homeland Security and a host of other federal agencies, as well as state and local public sector organizations such as transport authorities.

Cisco’s fine is fairly small compared with some of other penalties that regulators have handed out over corporate cybersecurity lapses. Last week, Equifax Inc. reached a deal with the Federal Trade Commission to pay at least $575 million in connection with the 2017 breach of its network. The money will be used to provide compensation and credit monitoring services to the roughly 147 million consumers whose data was compromised in the attack.

Photo: Cisco