A hacking collective claims to have breached security company Verkada, giving them access to live and archived footage from 150,000 security cameras inside Verkada customers’ facilities as well as its own offices, Bloomberg reported Tuesday.
According to Vice News, around 24,000 unique organizations use Verkada’s software, including private residences, malls, restaurants, nonprofits, and airports, revealing the extensive use of facial recognition and surveillance software.
Hackers successfully accessed feeds from Verkada customers including Tesla, Cloudflare, Equinox, Florida hospital system Halifax Health, Wadley Regional Medical Center in Texas, Tempe St. Luke’s Hospital in Arizona, Madison County Jail in Alabama, and Sandy Hook Elementary School in Connecticut, the site of the 2021 mass shooting, according to Bloomberg.
In some cases, a built-in feature of of certain cameras would have allowed the hackers to use the cameras to launch separate hacks into Verkada customers’ corporate networks, Bloomberg reported. Other cameras use facial recognition technology to identify individuals, according to Verkada’s website, potentially exposing sensitive personal information of patients, students, and employees of its customers.
“We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement,” a Verkada spokesperson told Insider.
A person familiar with the company’s response told Insider Verkada has enlisted an outside security company to help it investigate, and said Verkada has notified customers about the breach.
A Cloudflare spokesperson told Insider the company had been made aware Verkada cameras monitoring its facilities “may have been compromised” and that “the cameras were located in a handful of offices that have been officially closed for several months.”
“As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. To be clear, this incident does not impact Cloudflare products and we have no reason to believe that an incident involving office security cameras would impact customers,” they said.
The Verkada customers named above did not immediately respond to a request for comment. A spokesperson for Steward Health Care, which operates Wadley Regional Medical Center and Tempe St. Luke’s, declined to comment.
Tillie Kottmann, one of the hackers who claimed credit for the breach, told Bloomberg the group’s goal was to expose how widespread surveillance has become and how easily it can be hijacked, adding that their motives were “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
Hackers were able to view extremely sensitive footage, according to Bloomberg, including hospital staffers tackling a patient and police officers questioning criminal suspects, as well as detailed financial information about Verkada itself.
Verkada was previously scrutinized for security lapses in October after a report surfaced accusing male employees of using the company’s cameras to take photos of female employees and share them in a private Slack channel. After initially disputing the report, Verkada eventually fired the male employees involved, following a separate investigation by Vice News.