(Reuters) – U.S. electric vehicle maker Tesla Inc said on Wednesday a hacking incident reported on Tuesday was restricted to a supplier’s production site in Henan province, China, and its Shanghai car factory and showrooms were not affected.
A small group of hackers earlier this week viewed live and archived surveillance footage from hundreds of businesses by gaining administrative access to cameras supplied by Verkada, one of the hackers told Reuters on Tuesday.
Verkada acknowledged an intrusion, saying it had disabled all internal administrator accounts to prevent unauthorized access. “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement” and customers, it said on Tuesday.
Swiss software developer Tillie Kottmann, who has gained attention for finding security flaws in mobile apps and other systems, shared with Reuters recordings allegedly from inside a Tesla factory in China and a showroom in California.
Kottmann also shared a list of Verkada user accounts and screenshots from other venues, including an Alabama jail, hospital rooms, a police interview area and a community gym.
Reuters could not independently verify the authenticity of the list or screenshots, but they included detailed data and matched other materials from Verkada. Madison County Jail in Alabama did not respond to requests for comment.
In a statement to Reuters, Tesla China said the hacking incident only involved one of its suppliers’ production sites in China’s Henan province and neither its Shanghai car factory nor showrooms were affected.
It also said data from the supplier’s factory was stored locally and there was no security risk mentioned in the hacking incident. It has stopped the cameras in the supplier’s factory from working or linking to the internet.
Kottmann declined to identify other members of the hacking group. It sought to draw attention to the pervasive monitoring of people after having found login information for Verkada’s administrative tools publicly online this week, Kottmann said.
Kottmann said Verkada cut off the hackers’ access hours before Bloomberg first reported the breach on Tuesday.
The hacking group, if it had chosen, could have used its control of the camera gear to access other parts of company networks at Tesla and software makers Cloudflare Inc and Okta Inc, according to Kottmann.
Cloudflare said its security measures were designed to block a small leak from becoming a wider intrusion, and that no customer data were affected.
Okta said it was continuing to investigate but that its service was not affected.
Verkada says on its website it has over 5,200 customers, including cities, colleges and hotels. Its cameras have proved popular because they pair with software to search for specific people or items. Users can access feeds remotely through the cloud.
In a 2018 interview with Reuters, Chief Executive Filip Kaliszan said Verkada had deliberately made it easy for many users at an organization to watch live video feeds and securely share them, such as with emergency responders.
Verkada has raised $139 million in venture capital, with the latest financing announced a year ago valuing the Silicon Valley startup at $1.6 billion.
Verkada drew scrutiny last year after Vice reported that some employees had used company cameras and its facial recognition technology to take and share photos of female colleagues. Kaliszan later described the behavior as “egregious” and said three people had been fired over the incident.
(Reporting by Paresh Dave, Jeffrey Dastin and Yilei Sun; Editing by Peter Cooney, Lincoln Feast and Mark Potter)