Did businesses and employees know or consent to data retention of their likeness being captured for archival purposes?.
#VERKADA BREACH DETAILS SOFTWARE#
Did organizations that enabled the beta facial recognition technology disclose to patrons or workers that facial recognition software was in use?.Did organizations know that the live feeds could have been a beta version for facial recognition services?.This leads us to consider some questions with profound data privacy implications:
#VERKADA BREACH DETAILS FULL#
The threat actors claim they had full access to archives of full video for all Verkada customers, making the security and data privacy issues even more complex. The mingling of Verkada customer data to a single, allegedly secure, location was purportedly for facial recognition services used to identity people captured on monitored footage. The exposure revealed live feeds from some incredibly sensitive environments including women’s health clinics, psychiatric facilities, and even police departments.Īs a former senior-level employee told Bloomberg: “We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally.” The hackers were apparently stunned at just how easy it was to access such a vast trove of sensitive data for all of Verkada’s customer, remarking that it was “incredibly surreal”. On March 9 th, Bloomberg reported a massive security breach into the Verkada network that exposed the live feeds of 150,000 security cameras used in jails, hospitals, and even companies like Tesla. Unfortunately for a provider of IoT cameras and support services, Verkada, and their customers, none of the above security best practices were enabled. How did the Verkada IoT Breach Happen & What are the Implications? Many of the above practices can best be implemented using privileged access management (PAM) and other identity-centric security solutions. This is just smart enforcement of least privilege to reduce attack surfaces and threat windows. This means any administration or elevation of privileges by IT, other users, or even tasks, should occur for the finite period necessary to complete a task. An established workflow to allow access to the most sensitive accounts, adhering to just-in-time access models.Privileged credential management to rotate, manage, secure, and provide certification for all administrative accounts.Restricted access to all sensitive accounts from only approved zones.Multi-factor authentication (MFA) enabled for all employees, vendors, and contractors.Two-factor authentication enabled for all clients.No one account should have access to everything-or much at all, for that matter. Segregation of access to the IoT devices you service, this would include enforcing the separation of privilege concept.With that in mind you would want these basic security controls in place: Moreover, your customers should have every expectation that should be the case. You would absolutely want to architect and deploy a solution that in no way-EVER-could a single credential or account be used to jeopardize the trust and well-being of your clients and solution. If you are an IoT vendor, you bear some fundamental responsibilities to protect your company, infrastructure, and the security and privacy of your clients-whether they are other businesses you are selling to or consumers.
Let’s start with a candid discussion on IoT and Internet Security.
0 kommentar(er)
