IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Facial Recognition Ban May Have Saved San Francisco from Hack

A wide-ranging breach of security camera technology company Verkada appears to have compromised the security of thousands of private and public institutions across the world, including some in the San Francisco Bay Area.

An abstract image of facial recognition being used on a crowd.
Shutterstock/varuna
(TNS) — A wide-ranging breach of San Mateo, Calif., security camera technology company Verkada appears to have compromised the security of thousands of private and public institutions across the world, including some in the San Francisco Bay Area.

San Francisco's city government seems to have been spared, however, due in part to a 2019 ordinance banning the use of facial recognition technology by the city's Police Department and other agencies.

The intrusion was first reported by Bloomberg.

The Chronicle obtained a supposedly leaked list of Verkada customers. While it could not be independently verified, the list contained detailed information about companies and public agencies including some  Bay Area  municipalities and school districts.

San Francisco security and user identification software company Okta was among those on the list. In an emailed statement, spokeswoman  Lindsay Life  said the company's service had not been affected by the Verkada breach.

"After conducting further investigation, Okta determined that five Verkada cameras were compromised. These cameras were isolated and separate from Okta's production and company networks. Okta does not employ facial recognition technology, and there is no evidence that any live streams were viewed during the limited access that occurred. Okta employs Verkada technology only in office entrances," Life said.

In a blog post,online security company Cloudflare said it used Verkada cameras in its San Francisco offices and other locations. The company included screenshots from the cameras in the post and said it shut the cameras down when it became aware of the breach.

The South San Francisco Unified School District was included in the list, but spokesman  Peter Feng  said in an email, "The district has purchased a handful of Verkada units for evaluation but has not deployed them." He said that they had not heard from Verkada and that the school district uses a different manufacturer for its camera systems, although he declined to say which.

"The information regarding the security breach will certainly be taken into consideration during our evaluation," of the Verkada cameras, Feng wrote.

The Fremont Union High School District was another school district included on the unverified list. Chief Business Officer and Associate Superintendent  Christine Mallery  said in an email that she was not aware of the situation and did not respond to a follow-up email.

Mills College, also included on the list, said in an email that the school does use Verkada cameras but had not been notified they were part of any breach.

Other educational institutions listed, but that could not be reached for comment, included the Morgan Hill Unified School DistrictMission Dolores Academy in San FranciscoMenlo College and San Jose Evergreen Community College District.

An email address that appeared to be linked to the Stanford University School of Medicine also appeared on the list, although spokeswoman  Julie Greicius  said in an email that the school and its hospitals do not use the cameras and were not affected.

The private University of the Pacific, which has a campus in San Francisco, was listed, but spokesman  Liam Connolly  said in an email that the school does not use Verkada cameras on any of its campuses and was not affected.

The Sunnyvale Public Library was also on the list.  Jennifer Garnett , communications officer for the Sunnyvale Office of the City Manager, said in an email that she was checking with staff when asked if the library or other city departments used the cameras.

Redwood City appeared on the list. Spokeswoman  Jennifer Yamaguma  said via email that the Police Department there does not use Verkada equipment or software, nor does any city department.

The Alameda Health System was also listed but did not respond to questions about the hack.

Some facilities of electric-car maker Tesla in China and California were also accessed during the hack, according to a report. The company did not immediately respond to an emailed request for comment.

District Three Supervisor  Aaron Peskin , who sponsored the ordinance banning facial recognition technology from being used in San Francsico, said the legislation had been intended to protect people from being unfairly profiled or having their privacy invaded.

Asked if he had thought about the potential to avoid hacks like this when working on the legislation, Peskin said he hadn't. He said his concerns were more focused on the technology having "biases that disproportionately identified women and people of color."

"Even if it is perfect, I don't know if that's something we want in our society," Peskin said.

Under the ordinance, city agencies that access surveillance data have to have a plan for how the information will be used, retained and deleted, a process that is ongoing at the San Francisco Board of Supervisors, according to Peskin legislative aide  Lee Hepner .

Groups like the ACLU have fought against the use of facial recognition technology by public agencies. In an emailed statement, ACLU of Northern California Technology and civil liberties attorney  Matt Cagle  said the hack is an example of the privacy risks posed by surveillance.

"The danger doesn't end at hackers," Cagle said. "When cities and businesses surround streets and buildings with corporate surveillance systems — especially those with facial recognition capabilities — they are setting people up to be targeted by racist policing and predatory agencies like ICE who are eager to pry away control and co-opt these systems."

It was not clear from the list which cameras used the company's facial recognition technology, although Verkada's website alludes to those features being standard. Company marketing materials claim its software is secure and allows cameras to be accessed on any device anywhere in the world.

The intrusion has been attributed to a group that includes a Swiss hacker who goes by  Tillie Kottman . Kottman said in a message to The Chronicle that they were able to log in with superadministrator-level access and view any cameras on Verkada's network, along with archived footage.

"We have disabled all internal administrator accounts to prevent any unauthorized access," a Verkada spokesperson said in an emailed statement. "Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement."

(c)2021 the San Francisco Chronicle. Distributed by Tribune Content Agency, LLC.