Is Snowflake the biggest data breach ever?
Read about the latest breach stories, Google's gaffe, and learning resources to boost your cybersecurity career. June's newsletter is here and packed!
One-of-a-kind breach: Malicious actors steal Snowflake customer data
The customers of the cloud data storage platform Snowflake are victims of credential theft, although the data warehouse service isn’t liable for the nefarious activity, according to cybersecurity firm Mandiant.
The attack reportedly began in April 2024, when Mandiant received threat intelligence on database records from Snowflake victims. Mandiant discovered that the threat actors used stolen credentials to steal valuable data from Snowflake’s customer environment, targeting users without multi-factor authentication. The credentials were illegally obtained with infostealer malware.
Snowflake also confirmed the cybercriminals illicitly accessed the MFA-devoid demo account of an ex-Snowflake employee; however, it neither contained sensitive data nor was connected to Snowflake’s production environment.
Since Mandiant analysed the first incident in April, it has notified 165 potentially exposed organisations, revealing the awful reach of the breach.
Ticketmaster—an American ticket distribution company—connected the Snowflake violation to the personal data exposure of 560 million users. The cloud platform, however, dismissed Ticketmaster’s claim, stating that attackers didn’t exploit any vulnerabilities or misconfigurations on their platform.
Similarly, the third-party intrusion on the online banking platform Santander in May 2024 is linked to the Snowflake bypass. The anecdotal consensus is that the nefarious actors sold Snowflake exfiltrated data on breach forums, enabling other cybercriminals to access the data of organisations like Santander.
The Snowflake debacle highlights the importance of credential security and the growing use of infostealers in cyber intrusion.
Ransomware attack on Synnovis disrupts healthcare services in the UK
UK healthcare provider Synnovis was a victim of a ransomware attack on Monday, June 3rd, 2024. The cyberattack on Synnovis, which provides pathology services in London, affected patient care in healthcare centres like King’s College Hospital, Guy’s Hospital, and St. Thomas’ Hospital.
Synnovis was neither aware of the attackers responsible for the attack nor their entry mode when it revealed the intrusion. But Ciaran Martin (the former chief executive of the National Cyber Security Centre) alleged that Russian hackers are behind the Synnovis ransomware attack, and financial gain is their intent. “We believe it's a Russian group of criminals who call themselves Qilin. They're simply looking for money,” he told BBC Radio 4’s Today Programme.
A cloudy gaffe: Google deletes UniSuper account… accidentally
Optimal security and personalised control are the selling points of private clouds. But Google did the unprecedented in May 2024: they “accidentally” deleted UniSuper’s private cloud subscription across two geographies. In essence, UniSuper had no data, including backups, for restoration.
Google said an “inadvertent misconfiguration” was responsible for the accidental deletion. The one-of-a-kind occurrence, as Google described it, caused half a million members of UniSuper to lose access to their superannuation accounts (aka retirement savings plan) for one week.
UniSuper restored services after using backup data from another cloud service provider. The UniSuper-Google incident explains why over 9 in 10 Australian organisations use a multi-cloud infrastructure system to improve disaster recovery and redundancy.
The Learning Corner (TLC)
I’m committed to seeing you succeed as a cybersecurity professional. This is why I curated 42 cyber threat intelligence job descriptions in five countries (Canada, Ireland, Nigeria, the UK, and the US) to highlight the top 11 skills you need to become a threat intelligence analyst. Click here to access the resources you need to develop the required skills.
And that’s a wrap for June. See you in July!