After a former Cisco contractor informed Cisco about a number of serious security flaws in its video surveillance software in 2008, the company failed to address the issues for years but simply continued to sell the vulnerable solution to US government agencies and other customers across the globe. The flaws were only patched in 2013 and the software was discontinued a year later.

Cisco has now agreed to pay $8.6 million in order to settle a joint lawsuit by the contractor who discovered the vulnerabilities and 18 US states. The attorney representing the whistleblower said that “this video surveillance software is used by airports, police departments, and schools. It is supposed to make us safer, making the vulnerabilities at issue all the more troubling.”

Read more: Cisco to pay $8.6 million for selling vulnerable software to US government