Surveillance startup Verkada reportedly enabled dozens of staffers to peep on its clients — just like the hackers who attacked the company this week.
More than 100 Verkada staffers had access to the internal “Super Admin” privileges that hackers used Monday to get feeds from more than 150,000 cameras, according to Bloomberg News.
That meant a wide range of workers could watch the inner workings of Verkada’s clients, including jails, hospitals, schools and major companies like Tesla, the outlet reported Wednesday, citing three former employees.
“We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” one source told Bloomberg.
Tillie Kottmann, one of the hacktivists responsible for the Verkada breach, told surveillance research firm IPVM that they posed as an employee with “Super Admin” privileges to break into the company’s system.
The Super Admin accounts are supposed to help Verkada workers fix products and help customers with problems, according to Bloomberg. But the company’s lax security measures reportedly made it easy to misuse the system.
Staffers were supposed to submit a reason for accessing a customer camera, but the documentation was seldom checked, meaning a worker could just enter a space to access a feed, Bloomberg reported.
Super Admin users could also disable the “privacy mode” that allowed Verkada clients to hide cameras from the company’s view, according to the outlet. It’s reportedly unclear how many customers knew Verkada employees could access their cameras.
“Customers didn’t know and it was known at the company not to tell customers that,” one source with direct knowledge of the matter told IPVM. “No customer directly asked since any sane person would never expect a vendor to be able to do this so broadly across teams.”
Verkada told Bloomberg that it has clear policies for how employees should use the Super Admin feature, which was only available to staff who needed to address “customers’ questions and technical issues.”
“Verkada’s training program and policies for employees are both clear that support staff members were and are required to secure a customer’s explicit permission before accessing that customer’s video feed,” a company spokesperson told Bloomberg.