(Bloomberg) — Verkada Inc.’s security camera customers were livid. Hackers had breached footage from thousands of surveillance devices trained on their operations, including schools, prisons, hospitals and companies around the world. On a webinar with Verkada’s CEO, users wanted answers. Fast.
One pointed question came from Sequoia Capital, Verkada’s most prominent investor: How, inquired Silas Thomas, information technology manager at the venture capital firm, can we cut off Verkada employees from access to Sequoia’s cameras?
Verkada Chief Executive Officer Filip Kaliszan told Thomas that access had already been disabled. In response to another customer’s query, he summed up the mood. “We understand that this definitely kind of made it difficult to trust us.”
Once little known outside of Silicon Valley, Verkada gained unwanted notoriety in March after Bloomberg reported that hackers had accessed the internet-connected cameras in facilities of its customers, including the carmaker Tesla Inc. and cybersecurity firm Cloudflare Inc.
Although some sales staffers allegedly marketed Verkada as “virtually unhackable,” the breach exposed alarmingly lax safeguards at a company selling powerful surveillance tools that include facial recognition technology and that promised security and privacy protections to go with them. In the weeks since then, current and former employees have told Bloomberg that the inattention to data protection was emblematic of a larger “bro culture” that was sophomoric and sales obsessed, and which tolerated the harassment of women, frequent partying and misleading marketing claims.
Video footage of female employees was passed among male colleagues, who offered graphic comments, and in-office parties — even during the pandemic — were prone to excessive drinking and occasional drug use, according to the employees.
“Verkada gives frat boys a bad name,” one former sales employee said.
In a statement, a Verkada spokesperson said, “We acknowledge that early on, our internal policies did not initially keep pace with our rapid growth; however, we have taken several steps to ensure we are creating a supportive and inclusive environment.’’ A party celebrating the company’s first $100 million in sales, during which many employees didn’t wear masks despite the pandemic, was “a lapse in judgement,” the spokesperson said.
“Excessive drinking in the office and illicit drug use of any kind — both of which are grounds for termination — have never been commonplace at Verkada,” the spokesperson said. In-office celebrations could include champagne toasts but didn’t mean employees were intoxicated.
During the last year, Verkada has expanded its human resources team, completed a gender pay equity review and made compensation adjustments, implemented new training programs and strengthened mechanisms that employees can use to report abusive behavior with a 24/7 anonymous hotline, the company said. Verkada also has “refocused how we recruit and hire diverse candidates,” according to the spokesperson.
“Verkada is committed to creating a workplace that is respectful and inclusive of everyone,” the spokesperson said. “We have clear policies around sexual harassment and workplace behavior and there have been and will continue to be consequences for anyone who violates them.’’
The company declined to comment on some of the specific instances outlined in this article, nearly all of which three or more current or former employees confirmed. For this story, Bloomberg interviewed eight current Verkada employees and 15 former employees, all of whom requested anonymity either to protect professional relationships or because they weren’t authorized to speak on the company’s behalf.
Some praised Verkada’s sense of camaraderie and management, particularly recent efforts to address cultural problems such as hiring more women and cracking down on misbehavior. However, most spoke critically of the company and its work environment.
Signs of internal problems emerged last year, after a group of men at Verkada captured images of female employees with internal cameras, without their knowledge, and posted them on a Slack channel, along with sexually graphic comments, several former employees said. The rogue Slack channel was initially reported in October 2020 by the trade publication IPVM .
The organizers initially received a light punishment — they had their stock options reduced — but were later fired after news of the Slack channel spread, former employees said. In an October communication to his staff, Kaliszan said the initial discipline wasn’t adequate and apologized.
In another episode early this year, Verkada fired a sales manager after he exposed himself to a female colleague at a late-night, out-of-office gathering involving some members of the sales team, according to three people familiar with the incident. The firing, which came swiftly after an internal investigation, was considered a turning point in the company’s attitude toward inappropriate behavior, according to the people. The sales manager declined to comment.
Verkada isn’t the only Silicon Valley startup in which employees — often young, single and flush with cash — have engaged in questionable behavior, including sexual misconduct and substance abuse. But Verkada sells security cameras that peer into offices, factory floors, intensive care units and other sensitive areas — the kind of product that demands professionalism and discretion.
Based in San Mateo, Verkada was founded in 2016 by three computer science graduates from Stanford University — Kaliszan, James Ren and Benjamin Bercovitz — and an experienced technology hand, Hans Robertson, a Massachusetts Institute of Technology graduate. He had co-founded the startup Meraki — which sold cloud-managed networking devices — and was acquired by Cisco Systems for $1.2 billion in 2012.
Figures provided by Verkada show that the company raised money quickly–$15 million in 2018 led by Next47, $40 million in April 2019 led by Meritech Capital Partners and Sequoia Capital, and $80 million in November 2019 led by Felicis Ventures. By then, the company was valued at $1.6 billion; it now has 550 employees.
Its market share had grown rapidly too, from 38 customers in 2017 to more than 5,500 last year, according to the company’s website.
But according to former employees and others, Verkada’s sales pitch to customers sometimes included misleading claims.
In some instances, sales staffers told customers that Verkada’s system was “virtually unhackable,” and that Verkada had hired the cybersecurity company Okta Inc. to perform a penetration test to gauge the safety of its networks and determined that it couldn’t be breached.
An Okta spokesman said the company conducted its own penetration test of Verkada as part of its due diligence as a customer and found some vulnerabilities, which it forwarded to the camera company. Okta said it never conducted a pen test on behalf of Verkada. “It is disingenuous to use the Okta brand in this manner,” the spokesman said.
The Verkada spokesperson said, “We expect our sales team to accurately represent our products and answer questions truthfully.”
Verkada also marketed itself to potential customers as a “Stanford/MIT company,” according to emails that Bloomberg obtained via public records requests. Stanford said it wasn’t affiliated with Verkada, and MIT said in a statement, “Companies should not refer to themselves as an ‘MIT company’ simply because of a founder’s alumni status.”
At the same time, Verkada’s sales team engaged in behavior that went well beyond the norm in a profession that thrives on adrenaline and profits, the employees said. Drinking among the sales staff was allegedly excessive even by the often-casual standards of technology startups, where refrigerators full of beer aren’t uncommon. Two former employees said they saw cocaine use in the office.
Impromptu celebrations would break out when a sales representative closed a deal worth more than $20,000, with alcohol flowing and music blaring, according to the employees. The sales team would regularly engage in a chant – “Mo-ney! Mo-ney! Mo-ney!” – that would become a roar, sometimes lasting minutes.
A sales team scavenger hunt in 2019 included drunken employees filing into a Casper store in San Francisco, where they bounced on the mattresses, wrestled with each other and posed for pictures. The store manager called Verkada’s customer service line to complain, saying their employer was obvious due to the group’s logo-emblazoned T-shirts. A Casper spokeswoman confirmed the incident but provided no further details.
One employee described being on the phone with a customer, when suddenly some members of the sales team turned on a speaker and began blasting a Cardi B song with sexually explicit lyrics. The employee recalled having to seek a quieter place in the office and apologize to the customer.
Management at least acknowledged the disruption caused by the sales teams’ allegedly bawdy antics. They told some of the engineering staff to expense noise-canceling headphones, according to two former employees.
Some former employees said they felt left out while working at Verkada, which grew up at a time when Silicon Valley was reckoning with the MeToo movement and companies from Google to Uber were addressing challenges faced by female employees. At Verkada, meetings and events routinely began with Robertson saying, “OK boys” or “Yeah, gentlemen,” seemingly ignoring the women in the room, the former employees said. Two other former staffers described a loud discussion in the open-plan office about a well-qualified job candidate. A Verkada marketing executive said he didn’t want to hire her because she was a mother and wouldn’t be motivated to work on weekends.
The marketing executive didn’t respond to a message seeking comment. The Verkada spokesperson said the company rejects that characterization. “Verkada looks for the best people for every role, and we would never discriminate.” Many of its employees are parents, including those on the executive’s team, the company’s spokesperson said.
In November 2019, at an all-hands meeting where employees could submit inquiries anonymously via an app, one pointed out that a female director had departed, leaving no women executives, while another questioned Verkada’s “pervasive hyper-masculine culture,” according to screenshots reviewed by Bloomberg. The questions were read aloud and answered by Kaliszan, who said a group of friends who happened to be male founded the company. But he said Verkada needed to make an effort to hire more women.
In responses on the app, which employees could view in real time, one wrote anonymously, “Some employees are too concerned with a liberal agenda.” Another wrote, “Proud to work at a company that is hiring the best people for the job regardless of their gender.”
According to a Verkada spokesperson, the company hired a new head of human resources, Dervilla Lannon, in March 2020, and she was promoted in November, joining the executive team. Of its employees, 21% identify as female, and they make up 23% of management positions, according to the spokesperson, who added the company still has a way to go.
The recent hack raised new questions within the company. Two current and three former employees said they believed the aggressive focus on sales and growth, paired with the allegedly boisterous office environment, contributed to a lack of attention on security.
Three former engineering employees said they had raised concerns internally between 2018 and 2019 about the widespread use of Super Admin accounts, which gave staffers access to customer cameras. The accounts didn’t always require extra security settings to login, such as two-factor authentication, making them potentially vulnerable to hackers if passwords were leaked or otherwise compromised.
Last year, the company began reducing the number of employees with those accounts and tightened settings, ensuring that newly created Super Admin users would have to use two-factor authentication, according to two former employees. However, the employees said, the new settings weren’t applied to some older accounts, and it remained possible for someone with Super Admin credentials to login and view camera footage through a Verkada website that was accessible on the internet.
Those oversights would come back to bite the company. In March, Verkada hired Kyle Randolph, an experienced chief information security officer. But Randolph, a former security engineer at Twitter Inc. and Adobe Inc., had little time to patch up the vulnerabilities. In his second week on the job, an international hacker collective gained access to a Super Admin account and breached Verkada, gaining entry to customer cameras and throwing the company into crisis.
Randolph didn’t respond to messages seeking comment.
“I wasn’t shocked by the hack – the way we did some things could be prone to abuse,” said one former Verkada engineer. “We were not mature enough as a company. We were driven too much by numbers.”