Cyber Incident Victim: Bank of Utah
Date:
Mar 2021
Location:
United States of America
Summary
Hackers compromised a surveillance vendor's super admin account using exposed credentials, gaining unauthorized access to live camera feeds and system controls at multiple organizations including Bank of Utah, Tesla, and Cloudflare. The breach allowed extraction of surveillance footage from banks, healthcare facilities, and correctional institutions, alongside demonstrations of root-level access to security infrastructure. The vendor revoked compromised credentials, initiated an investigation with external cybersecurity experts, and notified law enforcement, while one affected organization clarified that breached cameras were in unused facilities with no customer impact. The incident was linked to a campaign referencing panopticon surveillance concepts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 9, 2021, hackers affiliated with #OperationPanopticon breached live surveillance camera systems at multiple high-profile organizations, including Bank of Utah, Tesla, Equinox, healthcare clinics, jails, and Cloudflare. The attackers exploited hardcoded credentials for a Verkada super admin account discovered in exposed DevOps infrastructure, granting them unrestricted access to enterprise security systems. Verkada, a surveillance technology provider serving these organizations, managed IoT cameras and automation systems that were compromised during the incident. Reverse engineer Tillie Kottmann, representing the hacking group, publicly shared images captured from surveillance feeds at Tesla facilities, Equinox gyms, and Bank of Utah locations, demonstrating unauthorized access to live video streams. The attackers also obtained root shell access to Linux-based surveillance infrastructure at Tesla headquarters and Cloudflare, evidenced by screenshots showing system MAC addresses corresponding to Verkada hardware. This access enabled potential manipulation of security systems beyond mere surveillance observation.
Verkada disabled all internal administrator accounts upon discovering the breach after being contacted by Bloomberg News, terminating the hackers' access. The company initiated an investigation with its internal security team and an external firm while notifying law enforcement agencies. Cloudflare confirmed compromised cameras were located in offices closed for several months, stating no customer systems or data were impacted. Bank of Utah's specific operational consequences were not detailed in available reports, though the breach exposed sensitive internal surveillance footage from financial institution premises. The incident highlighted systemic vulnerabilities in third-party managed security infrastructure, particularly the risks of hardcoded credentials in DevOps environments. No further public statements from Bank of Utah regarding containment measures or forensic findings were documented at the time of reporting. Verkada's investigation remained ongoing to determine the full scope of accessed systems and data.