More than 100 Verkada staffers had access to the internal “Super Admin” privileges that hackers used Monday to get feeds from more than 150,000 cameras, according to Bloomberg News.
That meant a wide range of workers could watch the inner workings of Verkada’s clients, including jails, hospitals, schools and major companies like Tesla, the outlet reported Wednesday, citing three former employees.
“We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” one source told Bloomberg.
Tillie Kottmann, one of the hacktivists responsible for the Verkada breach, told surveillance research firm IPVM that they posed as an employee with “Super Admin” privileges to break into the company’s system.
The Super Admin accounts are supposed to help Verkada workers fix products and help customers with problems, according to Bloomberg. But the company’s lax security measures reportedly made it easy to misuse the system.
Staffers were supposed to submit a reason for accessing a customer camera, but the documentation was seldom checked, meaning a worker could just enter a space to access a feed, Bloomberg reported.
Super Admin users could also disable the “privacy mode” that allowed Verkada clients to hide cameras from the company’s view, according to the outlet. It’s reportedly unclear how many customers knew Verkada employees could access their cameras.
“Customers didn’t know and it was known at the company not to tell customers that,” one source with direct knowledge of the matter told IPVM. “No customer directly asked since any sane person would never expect a vendor to be able to do this so broadly across teams.”
Verkada told Bloomberg that it has clear policies for how employees should use the Super Admin feature, which was only available to staff who needed to address “customers’ questions and technical issues.”
“Verkada’s training program and policies for employees are both clear that support staff members were and are required to secure a customer’s explicit permission before accessing that customer’s video feed,” a company spokesperson told Bloomberg.
Janice founded TceDar with an aim to bring relevant and unaltered news to the general public with a specific viewpoint for each story catered by the team. She is a proficient journalist who holds a reputable portfolio with proficiency in content analysis and research. With ample knowledge about the business industry, Janice also contributes her knowledge to the business section of the website.