Major Oz Retailers Exposed To Security Hack
Security cameras used by more than 100 Australian organisations, including retailers, have been caught up in a hack that has exposed serious vulnerabilities.
The cameras, manufactured by California-based startup Verkada, were breached by an international hacker collective seeking to highlight the privacy risks of pervasive video surveillance. The hackers gained access to so-called “Super Admin” accounts, reported Bloomberg, which allowed them to view large and archived video feeds from more than 150,000 cameras worldwide.
On a spreadsheet obtained by the ABC, an unnamed “national department store” and a “chain of duty-free shops” were among the Australian organisations listed as using the affected Verkada cameras.
The duty-free chain is likely Heinemann Australia, which is featured in a customer testimonial story on Verkada’s website, while Target may be the department store, as it is listed as a Verkada cloud surveillance customer on the website of Verkada partner Syno Global.
As reported by Bloomberg, the “Super Admin” accounts allowed Verkada employees to view customer cameras for legitimate purposes such as debugging and support; however, lax security measures meant intruders could gain access and that “20-year-old interns” at the company were able to use the accounts, according to a former senior employee.
Super Admin accounts could also bypass customers’ privacy mode settings, and the two-factor authentication required to use them was easily turned off. Verkada came under fire previously in October, when reports emerged that employees had used its cameras to harass other staff members; three workers were sacked over the incident.
US supplier CDW Corp has stopped selling Verkada cameras, reports Bloomberg, while tech company Cloudflare turned off its Verkada systems in its London, Singapore, New York, San Francisco, and Austin locations in response to a breach.
“We were notified of a breach of Verkada that allowed a hacker to access Verkada’s internal support tools to manage those cameras remotely, as well as access them through a remote root shell.
“As soon as we were notified of the breach, we proceeded to shut down the cameras in all our office locations to prevent further access,” Cloudflare said in a blog post.
Verkada, Syno Global, Heinemann, and Target have all been contacted for comment; however, the Australian number on Verkada’s website is out of service. While Syno Global could not confirm that Heinemann and Target used Verkada cameras due to confidentiality reasons, a spokesperson did confirm it sells the Verkada cameras in Australia.
Other Australian organisations using Verkada cameras include local councils, aged care facilities, schools, and childcare centres.