Bloomberg reported that a group of hackers said they breached a massive trove of security-camera data collected by Silicon Valley startup Verkada Inc., gaining access to live feeds of 150,000 surveillance cameras inside hospitals, companies, police departments, prisons and schools.
Companies whose footage was exposed include carmaker Tesla Inc. and software provider Cloudflare Inc. In addition, hackers were able to view video from inside women’s health clinics, psychiatric hospitals and the offices of Verkada itself. Some of the cameras, including in hospitals, use facial-recognition technology to identify and categorize people captured on the footage. The hackers say they also have access to the full video archive of all Verkada customers.
Bloomberg reported that the data breach was carried out by an international hacker collective and intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into, said Tillie Kottmann, one of the hackers who claimed credit for breaching San Mateo, California-based Verkada. Kottmann, who uses they/them pronouns, previously claimed credit for hacking chipmaker Intel Corp. and carmaker Nissan Motor Co. Kottmann said their reasons for hacking are “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism — and it’s also just too much fun not to do it.”
According to Vice News, around 24,000 unique organizations use Verkada’s software, including private residences, malls, restaurants, nonprofits, and airports, revealing the extensive use of facial recognition and surveillance software.
Hackers successfully accessed feeds from Verkada customers including Tesla, Cloudflare, Equinox, Florida hospital system Halifax Health, Wadley Regional Medical Center in Texas, Tempe St. Luke’s Hospital in Arizona, Madison County Jail in Alabama, and Sandy Hook Elementary School in Connecticut, the site of the 2021 mass shooting, according to Bloomberg.
In some cases, a built-in feature of of certain cameras would have allowed the hackers to use the cameras to launch separate hacks into Verkada customers’ corporate networks, Bloomberg reported. Other cameras use facial recognition technology to identify individuals, according to Verkada’s website, potentially exposing sensitive personal information of patients, students, and employees of its customers.
Hackers were able to view extremely sensitive footage, according to Bloomberg, including hospital staffers tackling a patient and police officers questioning criminal suspects, as well as detailed financial information about Verkada itself.