ADT Security Services faces another lawsuit over the brazen privacy-invading actions of a former installation technician who for years was able to spy on consumers’ most intimate moments.
The Texas resident behind the 28-page proposed class action claims to be one of hundreds of ADT-equipped households terrorized over a seven-year period by defendant Telesforo Aviles, who on January 21 pleaded guilty to repeatedly hacking into the video feeds of ADT Pulse users’ indoor security cameras for sexual gratification. According to the complaint, ADT’s failure to address a “large” security vulnerability within its Pulse application allowed 35-year-old Aviles to perpetrate “massive and ongoing intrusions into its customers’ private lives,” a breach the Texas U.S. Attorney’s office has called a “disgusting betrayal of trust.”
The lawsuit slams ADT for engaging in “a frantic effort to mitigate and hide the fact” that a vulnerability in its supposedly “industry-leading” home security systems allowed for a shocking invasion of customers’ privacy just three months after the company released the results of a self-conducted survey that found consumers have strong privacy expectations when it comes to smart-home devices.
In the wake of the survey, in which ADT allegedly “bragged that it was leading the industry in establishing ‘best practices’ for the protection of consumer privacy,” the defendant proceeded to call account holders who may have been spied on to secure a release and confidentiality agreement “in exchange for a monetary payment representing a fraction of the value of their claims,” the lawsuit says. According to the complaint, this effort, “directed by lawyers but carried out by customer service representatives,” failed to determine which ADT customers had legal representation and amounted to an attempt to “mislead them into believing that the release would cover account holders and non-account holders in the household alike.”
The proposed class action looks to cover non-ADT account holders who lived in households with a Pulse security system that was accessed by “an employee or agent of Defendant ADT without authorization,” as well as those fitting the same criteria who were spied upon by Aviles. The case alleges ADT was negligent not only in failing to ensure that its systems were properly safeguarded but in hiring and/or supervising Aviles, who the company “knew or should have known … was incompetent or unfit.”
As the case tells it, the true scope of the fallout from the ADT Pulse vulnerability is yet unknown in that any number of individuals may have been able to secretly spy on customers in their own homes. According to the Department of Justice website, Aviles, over a four-and-a-half-year period, admitted to secretly accessing approximately 200 customer accounts more than 9,600 times without consent. Aviles, who waived indictment, faces up to five years in federal prison.
“Beyond Aviles, potentially countless other unknown individuals have been accessing customers’ ADT Pulse accounts and surreptitiously viewing their camera footage, for years, all around the country,” the lawsuit alleges.
The suit, filed in Florida federal court on April 2, mirrors a proposed class action filed last May in which an ADT Pulse customer alleged Aviles had exploited security vulnerabilities to spy on the plaintiff “nearly one hundred times” when she was only a teenager.
A “terrifying” phone call from ADT
In April 2020, the plaintiff’s wife received a “terrifying” phone call from ADT in which the company informed her that the technician who installed their indoor security camera had granted himself remote access to their account.
The plaintiff, described in the suit as a long-time ADT customer, had an ADT Pulse system that included an indoor security camera with a wide-angle view that provided a visual of a bathroom, entryway, family room, dining space and stairs, as well as a glimpse into the master bedroom, the complaint says. In the call the man’s wife received from an ADT concierge specialist, the employee relayed that Aviles, who was not named during the call, had access to their in-home camera and potentially viewed the couple and their minor son “for an unknown amount of time,” the lawsuit says.
The cause of the intrusion, according to the case, was ADT’s “unsecure and unmonitored” Pulse application that allowed for Aviles, and potentially others, to “control every aspect” of a customer’s home security system, including the capability to open locks, disarm the system, and view and download security camera footage.
And [the plaintiff] was not the only one. He soon found out that hundreds of households had experienced the same staggering invasion of privacy over at least a seven-year period.”
Lawsuit claims “countless” other ADT techs could have spied on Pulse homes
For a customer’s ADT Pulse system to work correctly, it needs to be installed by one of ADT’s “highly trained” technicians, the suit says. ADT warrants, among other marketing representations, that its techs stand apart from the competition in that they’re able to earn customers’ trust and “protect the most important people in their lives.” ADT also “knows precisely how important the security of smart home devices is to consumers,” the case says, noting that a December 2019 survey performed by the company found that “92% of consumers felt that ‘smart home security companies [like ADT] need to take measures to protect customers’ personal data and information.’”
The lawsuit alleges that the vulnerability in ADT’s Pulse security system has “completely obliterate[d] all of ADT’s promises of security and protection,” something the defendant was forced to reckon with last April when it began to contact customers.
According to the complaint, ADT began to call some customers on or around April 23, 2020 to inform them that a security vulnerability in the Pulse system had allowed unauthorized users to access their accounts “as if they were a regular user.” ADT’s investigation revealed that Dallas-Fort Worth-area tech Aviles was by all accounts the worst offender among those who accessed customers’ accounts without consent, the case relays.
According to an ADT spokesperson, Aviles was able to add—and, in fact, did add—his own personal email address to customers’ accounts, allowing him to remotely login to a customer’s account using his own unauthorized credentials.”
Aviles was able to access Pulse customers’ accounts undetected for so long due to ADT’s failure to implement “adequate procedures” to ensure technicians removed their access to Pulse systems after installation and to prevent non-household members from adding non-household email addresses to accounts, the lawsuit alleges. Moreover, ADT also failed to monitor customers’ accounts and promptly alert them in the event a new email address was added.
“Countless checks could have been in place to prevent or at least stop this conduct,” the suit contends. “Instead, this breach came to light only by luck and happenstance: a customer, reporting a technical issue, inadvertently revealed the unwanted third-party access.”
Who does the lawsuit look to cover?
The lawsuit looks to represent everyone in the United States who (1) resides in a household with an ADT Pulse security system but is not the account holder and (2) had that security system remotely accessed by an employee or agent of ADT without authorization from the account holder.
Additionally, the lawsuit proposes a “sub-class” of everyone in the United States who (1) resides in a household with an ADT Pulse security system but is not the account holder and (2) had that security system remotely accessed by Telesforo Aviles without authorization from the customer.
How can I join the lawsuit?
There’s generally nothing you need to do to join or be included in a proposed class action lawsuit. This type of case almost always takes time to work its way through the legal system, usually toward a settlement, dismissal or, increasingly, to binding arbitration outside of court. Overall, it may take a while before the time may come for those who might be considered a part of the “class” to submit claims for whatever compensation the court deems appropriate in the dispute.
At any rate, it’s generally only if and when a case settles that consumers would need to take legal action. Read more about all that here.
If you believe you’ve been affected by a company’s alleged conduct, stay informed and check back with ClassAction.org for updates. You can sign up for our free weekly newsletter here.