Apology Accepted?

Is an electronic “sorry” sufficient repayment to 24,000 customers? What if that apology is from a company with “security” in its name and they have recently been breached? Your live surveillance camera footage has been exposed, your data accessible, and yet nothing has changed in that regard. Are you now feeling less compromised following the sorry? Reassured it won’t happen again?

In the mass, email apology, did the company happen to mention that long before the breach, untold numbers of unnecessary employees had free access to all of your data? Your live video footage? Mere months earlier a sales director and his staff had been caught viewing private customer surveillance footage for entertainment purposes--part of an ongoing office “prank.”

An October 2020 news story has much to say about access to sensitive information by this company’s personnel down the tier of authority. Far removed from high-security clearance, salespeople were regularly viewing and abusing private, customers’ private video footage.

That incident is being buried deeper by the day in Google searches as new coverage on the recent breach mounts. Here’s a reminder from Business Insider, reporting on the scandal in an article entitled, “Male employees at a $1.6 billion security-camera startup were accused of taking photos of female employees and sharing them in a private Slack channel.”

https://www.businessinsider.com/verkada-security-cameras-ipvm-investigation-2020-10

In essence, your security company was spying on you. The hackers weren’t trailblazers.

“The company acknowledged the hack and issued an apology for the exposure of “video and image data from a limited number of cameras.” However, they are not getting rid of the ability to view the live stream of individual devices.” ~Mark Vojtko “Smile! Thanks to Verkada Breach, You Could Be on Candid Camera” https://www.thesslstore.com/blog/smile-thanks-to-verkada-breach-you-could-be-on-candid-camera/

Pick a Title: “The Breach That Wasn’t,” or “Hackers With a Password”

The company is Verkada, and sorry must ring hollow to customers when it’s business as usual--the same business that allowed hackers to breach 150,000 live surveillance cameras--and practices haven’t changed.

“Hackers” the group were indeed, and a “breach” did take place, but those terms apply loosely to what occurred after a Verkada super admin password was left floating on the web waiting to be discovered. Apparently, a grade-schooler could have waltzed in.

“A hacker collective that jokingly refers to itself as “Advanced Persistent Threat 69420” is responsible for the data breach, but calling the incident a “hack” may be a stretch; the hackers claim they found the admin account credentials listed in materials available to the general public over the internet.” ~Scott Ikeda

“Verkada DataBreach Exposes Feeds of 150,000 Security Cameras; Targets Include Health Care Facilities, Schools, Police Stations, and a Tesla Plant,” March 15, 2021

The particular group makes a point of exposing the ease with which corporate security systems and government agencies can be breached. Member Tillie Kottman, who has since been arrested and her Swiss home searched and some incriminating evidence seized, made the following observation about their infiltration of Verkada:

“This one was easy. We simply used their web app the way any user would, except we had the ability to switch to any user account we desired. We did not access any server. We simply logged into their web UI with a highly privileged user account.”

Several publications have documented the extent of access available to Kootman and her crew. Like some proverbial school children running loose on the playground, they cavorted from camera feed to camera feed. The video footage ranged from mundane to highly private, even capturing a law enforcement interrogation of a handcuffed prisoner. The main issue being, every frame of it private property.

Faces and Toes

What often goes unsaid, is that many of the 150,000 cameras accessed were equipped with audio function and Verkada’s facial recognition abilities.

Ouch! That’s got to step on some liability-issue toes!

That touchy subject--facial recognition--rose to prominence in the surveillance world in the form of multiple lawsuits brought by rights groups against Clearview AI, the data-collecting facial recognition firm whose customer list was hacked.

So where amid a 150,000 surveillance camera breach is the FCC cavalry? Where’s the giant FTC broom sweeping up this mess? Why aren’t we seeing follow-up news of this blockbuster event every day?

The violations are likely to be numerous across several agencies, businesses, and private clients. Rest assured, complainants are lining up, we’re told. Perhaps the first in line will be the Department of Health and Human Services (HHS) for HIPAA/HITECH violations or even Sandy Hook Elementary School, the site of the 2012 mass shooting of students. Accessing surveillance cameras located at that American monument to pain, hackers took time to view inside the school.

The lawsuit possibilities could be enormous--say, up to the 24,000 count range?

Who Are the Bad Guys Here?

Thus far, the U.S. Department of Justice has indicted Tillie Kottman, an outspoken hacker, on charges of alleged computer and wire fraud, and aggravated identity theft. Should we consider that the beginning of a potential avalanche?

“The FTC could, in theory, level fines on a firm like Verkada were it to find that its cybersecurity practices were “unfair” or its advertisements of secure products were “deceptive,”’ said Jeffrey Vagle, an assistant professor at Georgia State University College of Law, who focuses on privacy.

At least security providers as a whole seem to recognize the significance of the breach. The response was swift in an industry-publication article entitled, “Associations Issue Joint Statement On Cybersecurity Threats In Wake of Verkada Breach: ASIS, ESA, TMA, PSA, and SIA share comprehensive list of cybersecurity resources to help strengthen industry practices,” Security Industry Association, March 17th, 2021.

Would it be farfetched to expect a ray of sunshine at the end of this cybersecurity storm? Dare we hope to see more extensive legislation and enforcement regarding the security of personal data? Will our private information be declared forcibly off-limits to a corporate world that exploits us for monetary gain?

The Verkada breach was a stunner but to what end? The initial shock and outrage may have been no more than a blip, now passed. But lack of rumbling doesn’t mean the threat of further storms has been eliminated.

 

Has the Security Industry Been Exposed as The Great Oz?

“The breach, experts say, peeled back the curtain on a world of private surveillance that is invasive and ripe for further exploitation by malicious actors.” by Sean Lyngaas MAR 19, 2021 | CYBERSCOOP https://www.cyberscoop.com/verkada-breach-surveillance-facial-recognition-privacy/

Will that curtain remain open to reveal the extent of ongoing threats, the far-reaching fallout of this security lapse?
Perhaps much of what transpires between Verkada and its 24,000 customers who have had their private data accessed with little more than an oops! in response from their security provider, will take place outside of the public eye.