ADT Pulse Vulnerability Allowed Third Parties to Remotely Access Home Security Systems for Nearly Seven Years, Lawsuit Claims

A proposed class action filed this week claims ADT has negligently allowed unauthorized parties to remotely access customers’ security systems and spy on household members “in their most private and intimate moments.”

The 21-page lawsuit out of Florida was filed by a woman who says ADT informed her mother in April 2020 that the technician who installed their home security system had granted himself remote access three years prior and had used it to spy on the plaintiff—then only a teenager—and the rest of the household nearly one hundred times.

“And [the plaintiff] was not the only one,” the case says, alleging that vulnerabilities within ADT’s “unsecure and unmonitored ‘security’ services” have subjected hundreds of customers to the same “staggering invasion of privacy” over at least a seven-year period.

“The mental and emotional impact this revelation has had…is immeasurable,” the complaint laments. “Moments once believed to be private and inside the sanctity of the home are now voyeuristic entertainment for a third party. And worse, those moments could have been captured, shared with others, or even posted to the internet. ADT’s failure to protect its customers irreparably destroyed their sense of security, safety, intimacy, and well-being.”

ADT Pulse Is “Perfectly Safe”?

The lawsuit explains that ADT, which holds itself as “#1 in smart home security,” markets and sells comprehensive home security system packages that are available in several tiers at different price points. One of the highest-tier packages is ADT Pulse, the suit says, which allows a customer to access and control their home security system and smart devices even while they’re away.

“Specifically,” the complaint explains, “consumers can arm and disarm their home security systems, remotely lock and unlock doors, view live camera footage, and control various smart home devices like a thermostat and lights.”

According to the case, ADT Pulse is marketed as a “whole new level of security and convenience,” allowing customers to install both indoor and outdoor cameras to “keep an eye on” their household, including children and pets. Anyone with valid credentials can log into the ADT Pulse mobile application or web portal and access live-stream videos, stored video clips, and any smart device connected to the security system, the lawsuit explains.

Along with the home security system, ADT Pulse comes with a “worry-free professional installation” performed by a highly trained technician, the case says.

While ADT boasts that its technicians “are what sets it apart” from competitors in earning customers’ trust, the company allegedly failed to secure its own systems “from massive and ongoing intrusions into customers’ private lives” at the hands of employees.

ADT Pulse Security Vulnerability

According to the lawsuit, a vulnerability in the ADT Pulse security system “completely obliterates” ADT’s promises of security and protection.

Around April 24, the suit says, ADT began contacting some of its customers to inform them that a security flaw had allowed unauthorized users to be able to access customers’ accounts “as if they were a regular user.”

In fact, an investigation conducted by the company had allegedly revealed that at least one ADT employee in the Dallas-Fort Worth area had access to more than 200 ADT Pulse accounts over a seven-year time frame. The complaint claims the individual had been able to—and did—add his personal email address to customers’ accounts so he could remotely log in to view and control their security systems using his own unauthorized credentials.

If ADT had implemented adequate security measures—such as preventing non-household members from adding email addresses to accounts or alerting customers whenever a new email address was added—this “invasive conduct” could have been avoided, the lawsuit claims.

“Countless checks could have been in place to prevent or at least stop this conduct,” according to the complaint.

The suit adds that the security breach was discovered “only by luck and happenstance” when a customer reported a technical issue and inadvertently revealed the third-party access.

Following the discovery, ADT engaged in a “frantic effort” to cover its tracks by contacting affected customers and urging them to sign a release and confidentiality agreement in exchange for a cash payment, the suit says. The lawsuit claims the payment represents “a fraction” of what customers are owed and argues that the release does not cover non-accountholders in the household as ADT led customers to believe.

Although ADT has assured customers that it’s implemented procedures to prevent similar security breaches from happening in the future, the case claims “it is already too late” for customers whose accounts and security footage have already been accessed and “potentially exploited.”

The Plaintiff’s Experience

The plaintiff is a non-accountholder who says she was only a teenager when her mother agreed to upgrade to ADT Pulse in September 2017. Although the plaintiff expressed reservations about having cameras installed inside their home, ADT allegedly assured her and her mother that the security system was “perfectly safe.”

The April 24 phone call from ADT in which the company disclosed the security vulnerability “destroyed whatever security and safety its security system promised,” the lawsuit says. The plaintiff claims the placement of the wide-angle lens on her indoor camera allowed ADT’s employee to view her in the nude, in various states of undress, while getting ready for bed, and during moments of physical intimacy.

Although ADT’s chief customer officer described the incident in an email later that day as a “difficult message to hear,” the case claims such a message “is, of course, woefully inadequate to truly describe Plaintiff’s loss of security, loss of safety, humiliation, and anger.”

Who Does the Case Look to Cover?

The lawsuit looks to represent anyone in the U.S. who resides in a household with an ADT Pulse security system but is not the accountholder and whose security system was remotely accessed by an ADT employee or agent without authorization from the accountholder.

Can I Join the Lawsuit?

At this time, there’s nothing you need to do to join the lawsuit. If the case moves forward and settles, anyone affected should receive notice of the settlement with instructions on how to claim whatever compensation the court deems just. 

Want class action news and updates sent straight to your inbox? Sign up for ClassAction.org’s newsletter here.