Following the confirmation that its systems had been hacked, Verkada has updated its customers on the security of its system, the status of its investigation into the hack and the steps it is taking to ensure the protection of its customers and system.
The surveillance systems manufacturer has confirmed that it has identified the attack vector used in the attack has been identified and that all customer systems were secured as of approximately noon PST on March 9, 2021.
“The attack targeted a Jenkins server used by our support team to perform bulk maintenance operations on customer cameras, such as adjusting camera image settings upon customer request,” explained Filip Kaliszan CEO, Verkada Inc in an open letter to customers. “We believe the attackers gained access to this server on March 7, 2021 and maintained access until approximately noon PST on March 9, 2021. In gaining access to the server, the attackers obtained credentials that allowed them to bypass our authorisation system, including two-factor authentication. We are continuing to investigate the incident, and we are contacting all affected customers.”
The manufacturer has confirmed that the attackers obtained video and image data from a limited number of cameras from a subset of client organisations; a list of its client account administrators, including names and email addresses but not passwords or password hashes; and a list of Verkada sales orders. The sales order information is used by the manufacturer’s Command system to maintain the license state of its customers. The manufacturer states that this information was obtained from its Command system and not from other Verkada business systems.
“We can also confirm that the attackers gained access to a tool that allowed the execution of shell commands on a subset of customer cameras; however we have no evidence at this time that this access was used maliciously against our customers’ networks,” added Kaliszan. “All shell commands issued through our internal tool were logged.”
There is currently no evidence that the breach compromised user passwords or password hashes or Verkada’s internal network, financial systems, or other business systems.
In addition to its internal response team, Verkada has retained Mandiant Solutions and Perkins Coie, to conduct a thorough review of the root cause of this attack and support its efforts to ensure internal security. The manufacturer also notified the FBI, which is assisting the company in this investigation.