Police departments, prisons, schools, hospitals and major technology firms were among the 24,000 organizations that had their cloud-based surveillance video breached by an international hacker group.
A number of police departments, prisons, schools, hospitals and major technology firms had their cloud-based surveillance video breached by an international hacker group.
The breach was first reported by Bloomberg. In that report, the hackers said they gained access to surveillance data from 150,000 cameras operated by Silicon Valley startup Verkada. The hackers, who found log-in details for a “super admin” account on the web, also said they gained access to the company’s balance sheet, its full list of 24,000 global customers and the entire saved video archive.
Founded in 2016, Verkada sells a cloud-based access control solution that features security cameras, door controls and light and motion sensors as well as software that allows customers to access and manage equipment and data via the web. The service allows the cameras to “act as sensors, leveraging the latest in AI and edge computing to uncover actionable insights in real-time,” the company said on its website. The company’s video analytics allow customers to find specific individuals in their video by searching for clothing color and appearance and track their movement across facilities with heatmaps.
Victims include a police station in Stoughton, Wis., the Madison County Jail in Huntsville, Ala. and Arizona’s Graham County detention facility. Besides seeing videos of patients and staff from a number of health care facilities, the hackers told Bloomberg they gained access to cameras in Sandy Hook Elementary School in Newtown, Conn. Breached video also features workers on a Tesla supplier’s assembly line in Shanghai and views of the offices of Cloudflare and Okta.
The full list of customers includes shopping malls, credit unions, universities, pharmaceutical companies, marketing agencies, pubs, churches, museums, airports and more, according to Vice News.
According to a Verkada statement, the attackers obtained credentials allowing them to bypass its two-factor authentication and access a server used for bulk maintenance operations on customer cameras. There is no evidence the attackers compromised customer passwords or compromised the company’s internal networks, the company said, but the hackers were able to obtain video and image data from some customers, the names and emails of client administrators and a list of Verkada sales orders. The attackers also “gained access to a tool that allowed the execution of shell commands on a subset of customer cameras,” CEO Filip Kaliszan said, but there is “no evidence at this time that this access was used maliciously against our customers’ networks.”
Verkada notified the FBI and is working with Mandiant Solutions and Perkins Coie to identify the root cause of this attack and shore up its ensure internal security.
The data breach was intended to show not just how easily the systems could be accessed, but also the pervasiveness of video surveillance, Tillie Kottmann, one of the hackers, told Bloomberg.
The breach also illustrates the critical need to secure internet-connected technology. The rush to install more surveillance cameras and internet-of-things devices is fueling a wave of unprotected equipment that puts people’s privacy at risk, Liz O'Sullivan, the technology director for the nonprofit advocacy group the Surveillance Technology Oversight Project, told the Washington Post.