Interns at security camera startup Verkada Inc., whose clients included major corporations, police departments and schools, reportedly had access to a “Super Admin” power which allowed them to see live camera feeds for thousands of customers.
Workers repeatedly raised concerns about the “Super Admin” accounts, but they weren’t addressed, according to a former employee who spoke to Bloomberg. More than 100 Verkada employees, including sales staff and interns, had access to the “Super Admin” accounts, multiple former employees said. With this power, young interns were able to spy on live feeds and could archive videos from Verkada clients, including Tesla.
Engineers routinely looked at users’ video feeds on a daily basis, one source claimed to Bloomberg.
A Verkada spokesperson said to Bloomberg that employees were required to get permission before accessing a client’s security feed, and that the super-power access was granted to address their clients’ technical issues. However, one former senior-level employee reportedly disputed that claim.
“We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” they said. (RELATED: Police In China Are Reportedly Using American Technology To Spy On Citizens)
LATEST: More than 100 employees at security camera startup Verkada could peer through the cameras of its thousands of customers, including global corporations, schools and police departments, according to three former workers https://t.co/ITOHN8CdJE
— Bloomberg (@business) March 11, 2021
Weak security measures left customers vulnerable to malicious actors, former employees said.
Hackers gained access to the “Super Admin” accounts Monday and were able to see video feeds inside Tesla, Inc., police interviews and hospital workers tackling a patient, according to Bloomberg. The company said access to the Super Admin accounts was limited to employees who were needed to handle certain engineering or customer service problems.
One of the hackers, Tillie Kottmann, said the European hacking collective that breached Verkada wanted to expose the pervasiveness and vulnerability of security systems, Bloomberg reported.
Super Admin accounts could turn off a “privacy mode” activated by customers that was meant to prevent employees from viewing their cameras. Workers were required to log their use of Super Admin accounts and provide justification for their use, but that wasn’t much of a deterrent, according to one former employee. “Nobody cared about checking the logs. You could put whatever you wanted in that note; you could even just enter a single space,” they told Bloomberg.
The hackers were also able to gain access to customers’ personal and financial information, according to The Verge. The hack is America’s highest-profile security breach since the SolarWinds hack of Microsoft, which gave hackers access to Microsoft user information.