IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers breach security cameras at Cloudflare, Tesla and more

The Verkada attack also saw 'Arson Cats' hackers access cameras in schools, prisons, and hospitals.

Security CCTV camera installed indoor

Companies including internet security provider Cloudflare and electric vehicle manufacturer Tesla are among victims of a hack that saw attackers breach more than 150,000 security cameras.

The cameras, which belong to California-based security company Verkada, had also been installed in schools, prisons, and hospitals.

Hacking group APT 69420 Arson Cats have claimed responsibility for breaching Verkada’s systems, with one of its members, Android developer Tillie Kottmann, telling Bloomberg that it was “just too much fun not to do it”.

Kottmann also listed “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism” as reasons for the breach.

The hacker told Ars Technica that Verkada had left an unprotected internal development system exposed to the internet. The system reportedly contained credentials for an account with super admin rights to the Verkada network, which the hackers managed to access, thus obtaining insight into 150,000 camera feeds, a portion of which used facial recognition.

Footage obtained by the hackers reportedly includes videos from inside elementary schools, women's health clinics, psychiatric hospitals, prisons, as well as offices belonging to Cloudflare, Tesla, and Verkada itself.

Although the footage is reported to be from different parts of the United States, Verkada also sells its cameras in the UK. IT Pro has contacted the company for comment as to whether any of its UK customers had been affected and will update this article when more information becomes available.

Cloudflare stated that “a handful” of its offices “may have been compromised”. However, the security cameras “were located in offices that have been officially closed for nearly a year” due to the pandemic. 

“As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. No customer data or processes have been impacted by this incident,” the company added.

Rick Holland, CISO of London-based cyber security company Digital Shadows, told IT Pro that the incident “is an example of the risks associated with outsourcing services to cloud providers”. 

“You don't always get more secure when you outsource your security to a third party,” he said, adding that the breach “is likely to result in regulatory investigations from the Department of Health and Human Services (HHS) for HIPAA/HITECH violations because surveillance footage can be considered protected health information”. 

GDPR violations of personal data could have also occurred, and class action lawsuits could also be on the horizon. The intrusion also highlights the need for internal cybersecurity and physical security teams to be integrated or closely aligned. The lines between these two functional areas are blurred as more and more physical security controls make their way to the cloud,” said Holland. 

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022