Amazon's Ring said it fired four employees for watching customer video feeds beyond what they were allowed to.
The smart doorbell maker acknowledged the move on Monday, in a letter it wrote to Democratic senators. In November, Sens. Ron Wyden of Oregon, Chris Van Hollen of Maryland, Ed Markey of Massachusetts, Chris Coons of Delaware and Gary Peters of Michigan sent a letter to Ring, asking for more information about how the company retains and secures customers' data and videos.
Brian Huseman, Amazon's vice president of public policy, said in the company's response to the lawmakers that there had been four complaints over the last four years about its employees' access to Ring video data.
"Although each of the individuals involved in these incidents was authorized to view video data, the attempted access to that data exceeded what was necessary for their job functions," Huseman wrote in the letter, which was obtained by CNBC. "In each instance, once Ring was made aware of the alleged conduct, Ring promptly investigated the incident, and after determining that the individual violated company policy, terminated the individual."
Huseman added that Ring now limits "such data access to a smaller number of team members" and will continue to review the access to those privileges, to determine whether "they have a continuing need for access to customer information."
Ring told CNBC in a statement that it doesn't comment on personnel matters. Amazon acquired Ring in February 2018 and the company now operates as a subsidiary of Amazon.
In the letter to Amazon, the senators' pointed to reports from The Intercept and The Information that found Ring employees in Ukraine were given unrestricted access to videos from Ring cameras around the world. Huseman said in Amazon's response that teams in Ukraine can only access publicly available videos and videos from Ring employees, contractors and friends, only after receiving their "express consent."
The senators also questioned Ring's security practices, highlighting a number of incidents where hackers broke into Ring users' accounts and then harassed users through their devices.
Ring pledged to heighten its security measures following those incidents. It announced Monday a new control center that will soon let Ring users set which devices have access to their video feeds and opt out of receiving requests for data from law enforcement.
The company also announced it will require users to enable two-factor authentication on their accounts. However, Sen. Wyden pointed out that it only applies to new products, meaning it doesn't apply to existing users. Two-factor authentication requires users to enter in a code sent to their phone that helps confirm they're the owner of the account.
"Requiring two-factor for new accounts is a step in the right direction, but there are millions of consumers who already have a Ring camera in their homes who remain needlessly vulnerable to hackers," Wyden said in a statement. "Amazon needs to go further – by protecting all Ring devices with two-factor authentication."
Ring said it chose not to require all users to setup two-factor authentication because doing so risks potentially locking customers out of their cameras. The company added it will work to inform users about the dangers of opting out of two-factor authentication.
