Swiss authorities on Friday raided the home of a computer hacker reportedly under FBI investigation who has also—unrelatedly—taken credit for the recent breach of U.S. security camera company. The company, Verkada Inc., has itself separately been accused of granting employees extraneous access to the private surveillance feeds of potentially thousands of global customers.
Bloomberg, which first broke news of the Verkada breach on Tuesday, now reports that a 21-year-old hacker who’s taken credit is facing possible criminal charges in the U.S. A search warrant served by Swiss authorities and later seen by reporters points to an investigation by the FBI and federal prosecutors in the Western District of Washington.
The hacker, Tillie Kottmann, who is being investigated for earlier possible crimes, told reporters they acquired high-level credentials to Verkada’s network, granting them access to all of its clients’ cameras.
Verkada, founded in 2016, is a maker indoor and outdoor security cameras, access control systems, and environmental sensors. Its cameras and other technology are connected through a cloud-based platform. Its customers include healthcare companies, banks, restaurants, public schools, and more. Several U.S. cities have standing contracts with Verkada to surveil public spaces and structures.
On Wednesday, three former employees told Bloomberg that “more than 100" former colleagues had direct access to the live feeds of Verkada’s clients—including some “20-year-old interns,” according to one Bloomberg source. The accounts have raised questions about the Verkada’s internal policies, though the company has said it “previously” moved to limit camera access to staff working closely with clients.
Among the 150,000 camera feeds accessible to the hacker, more than 200 reportedly belong to electric car maker Telsa. Others are said to offer views inside schools, jails, and hospitals.
Attributing the breach, in part, to their own anti-capitalistic views, Kottmann told Bloomberg on Friday morning that police had searched their apartment in Lucerne, Switzerland, and seized electronic devices. Kottmann’s parents’ home was also reportedly searched. The warrants were authorized under a separate hacking investigation that is unrelated to the breach at Verkada.
Kottmann reportedly resisted using the unauthorized access they obtained to snoop on Verkada’s clients and instead shared their knowledge with a journalist. Their access was revoked soon after. The hack was done, they told Bloomberg, to “[expose] just how broadly we’re being surveilled, and how little care is put into at least securing the platforms used to do so, pursuing nothing but profit.”
A spokesperson for the U.S. Attorney in Western Washington could not be immediately reached for comment.