Upon gaining access to the network during the breach, the hackers were able to view live video surveillance of 150,000 security cameras including those in private homes, ICU in hospitals, prison cells, interrogation rooms, gyms, and elementary schools. They were also able to access the surveillance video of Nissan, Tesla, and Cloudflare.
In addition to having access to live video feed, hackers were also able to access video archives. They provided proof that they had the video archives by sharing some of the videos with Bloomberg, including a video from a Florida hospital showing both patients and staff members. This should be of concern for healthcare organizations as video footage of patients is considered protected health information (PHI) under HIPAA. As such, there is likely to be an investigation by the Department of Health and Human Services’ Office for Civil Rights to determine whether of not Verkada, a business associate, violated the regulation.
Although internal investigations are still underway, it appears as though clients names and email addresses were also compromised in the incident. The company furthered, “We can also confirm that the attackers gained access to a tool that allowed the execution of shell commands on a subset of customer cameras; however, we have no evidence at this time that this access was used maliciously against our customers’ networks. All shell commands issued through our internal tool were logged.”