This is Cloudflare's official statement (I work for Cloudflare):
This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised. The cameras were located in offices that have been officially closed for nearly a year.
As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. No customer data or processes have been impacted by this incident.
This incident emphasizes the importance of the Zero Trust model that Cloudflare follows and provides to customers, which ensures that if any one system or vendor is compromised, it does not compromise the entire organization. Unlike the previous castle-and-moat approach, a Zero Trust model functions more like bulkheads in a ship, making sure that a leak in one place doesn’t sink the entire ship.
Hackers gained access to over 150,000 of [Verkada]’s cameras, including cameras in Tesla factories and warehouses, Cloudflare offices, Equinox gyms, hospitals, jails, schools, police stations, and Verkada’s own offices, Bloomberg reports.
This sounds silly, of course, but it wouldn't surprise me if someone cheaped out somewhere and connected two networks that should never be connected together.
That’s kind of beside the point, any aircraft security staff involved would demand segregation. 150k random companies? Hell, 75% don’t even have security teams.
>The cameras were located in offices that have been officially closed for nearly a year.
This explanation begs the obvious question, why were they still connected to Cloudflare's internal network for nearly a year? Does Cloudflare just keep paying rent for 'officially closed' offices? Obviously this ArsonCats group is exaggerating the extent of the hack but this official explanation from Cloudflare doesn't exactly pass the sniff test either.
I don’t know about Cloudflare specifically, but almost every Cloudlfare-sized tech company in SF has had their offices closed to employees for a year. Most of them plan to reopen and are continuing to pay rent.
Under those circumstances it definitely makes sense to keep the cameras on.
I understand this and that's the point I'm trying to make here. The statement is just deflecting and downplaying the issue. What exactly does 'officially closed' mean? The office wasn't 'officially closed', it was unoccupied because of COVID. It was still paid for by Cloudflare and on it's network. The statement is purposefully misleading.
This afternoon we were alerted that the Verkada security camera system that monitors main entry points and main thoroughfares in a handful of Cloudflare offices may have been compromised. The cameras were located in offices that have been officially closed for nearly a year.
As soon as we became aware of the compromise, we disabled the cameras and disconnected them from office networks. No customer data or processes have been impacted by this incident.
This incident emphasizes the importance of the Zero Trust model that Cloudflare follows and provides to customers, which ensures that if any one system or vendor is compromised, it does not compromise the entire organization. Unlike the previous castle-and-moat approach, a Zero Trust model functions more like bulkheads in a ship, making sure that a leak in one place doesn’t sink the entire ship.