Daytona, FL (WorkersCompensation.com) – A data breach of security cameras utilized by multiple corporations brings up some serious questions regarding surveillance and safety. A group of international hackers recently gained access to security company Verkada, accessing the feed of over 150,000 surveillance cameras placed in not only manufacturing companies such as Tesla, but hospitals, schools, prisons, and police departments as well, according to a report from Bloomberg.
Tillie Kottmann, an unidentified frontman for the collective hackers called “Advanced Persistent Threat 69420,” claimed the data breach occurred on March 8th, and stated that the intent was to demonstrate just how much the public is being monitored, and how vulnerable the surveillance platforms are to data hacking due to a lack of effort. The hackers did not shut down any systems, nor demand a ransom.
The perpetrators gained access to Verkada’s systems via an elementary “Super Admin” account, which allowed them to view the cameras of all of Verkada’s customers across a wide array of industries, including HIPAA-protected healthcare facilities. The hackers found the information for the Super Admin account publicly posted on the internet. Once in the system, they were not only able to view the camera feed, but also access and control the cameras themselves, and had access to all archives. No advanced hacking was required as the availability to remotely control the cameras is a standard design feature.
In addition to reviewing camera feeds, the group also was able to download a listing of all of Verkada’s customers and their financial information, which is not released publicly. At one point, hackers watched an employee of Verkada in their home office with their family via camera.
One of the hacked videos that Bloomberg reviewed belonged to Halifax Health. According to the Bloomberg report on the video, several workers were seen wrestling a patient to subdue them, although it’s not clear in what department or scenario the event occurred. A spokesman for Halifax did confirm that they were a customer of Verkada but they believed “the scope of the situation is limited.”
Halifax had been featured by Verkada in a case study on HIPAA compliance. Florida based non-profit post-acute care group, Chapters Healthcare System is another healthcare alliance featured by Verkada in a case study on HIPAA compliance. Executives at Chapters were tasked with updating a surveillance system that required an enormous amount of manual time and effort to pull footage, and perform updates. The reasons given in the case study for choosing Verkada surveillance was due in part to offering automatic updates and end-to-end encryption.
One of features that Verkada offers in software is “People Analytics.” The software offers customers the ability to search video footage based on gender traits, clothing color, and other attributes including their face. The software can be used to track employees, patients, and in some cases inmates. Additionally, the company offers environmental monitoring with the ability to monitor bullying and fighting, vape detection, motion, temperature, noise levels, air quality and product control.
Verkada stated that it has disabled all of its internal administrator accounts, and Bloomberg confirmed the action with Kottman, who confirmed they no longer have access.
In a time when virtual monitoring is no longer a luxury but a necessity to merely function and manage an ever-growing amount of data, this incident brings up the question of how to guarantee HIPAA compliance and safety, especially as a customer that does not have control over vendor security systems. Meanwhile, Harvard researchers have speculated about the security breaches that could occur in the use of telemedicine.