(TNS) — A wide-ranging breach of
San Mateo, Calif., security camera technology company Verkada appears to have compromised the security of thousands of private and public institutions across the world, including some in the San Francisco Bay Area.
San Francisco's city government seems to have been spared, however, due in part to a 2019 ordinance banning the use of facial recognition technology by the city's
Police Department and other agencies.
The intrusion was first reported by Bloomberg.
The Chronicle obtained a supposedly leaked list of Verkada customers. While it could not be independently verified, the list contained detailed information about companies and public agencies including some
Bay Area
municipalities and school districts.
San Francisco security and user identification software company Okta was among those on the list. In an emailed statement, spokeswoman
Lindsay Life
said the company's service had not been affected by the Verkada breach.
"After conducting further investigation, Okta determined that five Verkada cameras were compromised. These cameras were isolated and separate from Okta's production and company networks. Okta does not employ facial recognition technology, and there is no evidence that any live streams were viewed during the limited access that occurred. Okta employs Verkada technology only in office entrances," Life said.
In a blog post,online security company
Cloudflare said it used Verkada cameras in its
San Francisco offices and other locations. The company included screenshots from the cameras in the post and said it shut the cameras down when it became aware of the breach.
The South San Francisco Unified School District was included in the list, but spokesman
Peter Feng
said in an email, "The district has purchased a handful of Verkada units for evaluation but has not deployed them." He said that they had not heard from Verkada and that the school district uses a different manufacturer for its camera systems, although he declined to say which.
"The information regarding the security breach will certainly be taken into consideration during our evaluation," of the Verkada cameras, Feng wrote.
The Fremont Union High School District was another school district included on the unverified list. Chief Business Officer and Associate Superintendent
Christine Mallery
said in an email that she was not aware of the situation and did not respond to a follow-up email.
Mills College, also included on the list, said in an email that the school does use Verkada cameras but had not been notified they were part of any breach.
Other educational institutions listed, but that could not be reached for comment, included the
Morgan Hill Unified School District,
Mission Dolores Academy in
San Francisco,
Menlo College and San Jose Evergreen
Community College District.
An email address that appeared to be linked to the
Stanford University School of Medicine also appeared on the list, although spokeswoman
Julie Greicius
said in an email that the school and its hospitals do not use the cameras and were not affected.
The private
University of the Pacific, which has a campus in
San Francisco, was listed, but spokesman
Liam Connolly
said in an email that the school does not use Verkada cameras on any of its campuses and was not affected.
The Sunnyvale Public Library was also on the list.
Jennifer Garnett
, communications officer for the
Sunnyvale Office of the City Manager, said in an email that she was checking with staff when asked if the library or other city departments used the cameras.
Redwood City appeared on the list. Spokeswoman
Jennifer Yamaguma
said via email that the
Police Department there does not use Verkada equipment or software, nor does any city department.
The
Alameda Health System was also listed but did not respond to questions about the hack.
Some facilities of electric-car maker
Tesla in
China and
California were also accessed during the hack, according to a report. The company did not immediately respond to an emailed request for comment.
District Three Supervisor
Aaron Peskin
, who sponsored the ordinance banning facial recognition technology from being used in San Francsico, said the legislation had been intended to protect people from being unfairly profiled or having their privacy invaded.
Asked if he had thought about the potential to avoid hacks like this when working on the legislation, Peskin said he hadn't. He said his concerns were more focused on the technology having "biases that disproportionately identified women and people of color."
"Even if it is perfect, I don't know if that's something we want in our society," Peskin said.
Under the ordinance, city agencies that access surveillance data have to have a plan for how the information will be used, retained and deleted, a process that is ongoing at the
San Francisco Board of Supervisors, according to Peskin legislative aide
Lee Hepner
.
Groups like the
ACLU have fought against the use of facial recognition technology by public agencies. In an emailed statement,
ACLU of Northern California Technology and civil liberties attorney
Matt Cagle
said the hack is an example of the privacy risks posed by surveillance.
"The danger doesn't end at hackers," Cagle said. "When cities and businesses surround streets and buildings with corporate surveillance systems — especially those with facial recognition capabilities — they are setting people up to be targeted by racist policing and predatory agencies like ICE who are eager to pry away control and co-opt these systems."
It was not clear from the list which cameras used the company's facial recognition technology, although Verkada's website alludes to those features being standard. Company marketing materials claim its software is secure and allows cameras to be accessed on any device anywhere in the world.
The intrusion has been attributed to a group that includes a Swiss hacker who goes by
Tillie Kottman
. Kottman said in a message to The Chronicle that they were able to log in with superadministrator-level access and view any cameras on Verkada's network, along with archived footage.
"We have disabled all internal administrator accounts to prevent any unauthorized access," a Verkada spokesperson said in an emailed statement. "Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement."
(c)2021 the San Francisco Chronicle. Distributed by Tribune Content Agency, LLC.
