The massive data breach at Ticketmaster and another at Santander Bank last month may have resulted from a fundamental failure by the companies to properly secure access to data on a third-party cloud storage service.
These incidents are the latest reminder of why organizations that store sensitive data in the cloud need to implement multi-factor authentication (MFA), IP restrictions, and other mechanisms to protect access to it. This may seem like low-hanging fruit, but it's clear that even mature IT companies continue to overlook cloud security in the rush toward digital transformation.
Widespread violations
in Regulatory filing Over the weekend, Live Nation Entertainment, a parent of Ticketmaster, said it was Victim of the May 20 breach Includes a database hosted by a third-party cloud storage provider. The company's disclosure came on May 31 after reports Last week's data emerged It belongs to about 550 million Ticketmaster customers and is for sale on a Dark Web forum by “ShinyHunters,” an entity believed to be linked to the BreachForums leak site. Ticketmaster itself has not publicly disclosed any details regarding the breach beyond what it listed in its SEC filing.
Santander Bank A similar breach was detected On May 14th. In the current situation At the time, the Spanish banking institution said someone had gained unauthorized access to a database hosted by a third-party cloud provider that contained employee and customer data. Among those affected were mainly Santander customers in Spain, Chile and Uruguay.
ShinyHunters claimed responsibility for the Santander theft as well and said the database it accessed It contains data on about 30 million Santander customersAnd 28 million credit card numbers, account balances, HR employee rosters, and other data. The threat actor offered the data for sale for $2 million.
Both Ticketmaster and Santander have not revealed the identity of the third-party cloud service. But several security analysts identified the provider as Snowflake, a cloud storage provider that counts companies like MasterCard, Honeywell, Disney, Albertsons, JetBlue and other major brands as clients.
Protection failure?
Snowflake has confessed The company said there has been malicious activity targeting some of its customers' accounts in recent weeks, but it has not yet identified the affected customers. The company said its investigation with the help of Mandiant and CrowdStrike turned up no evidence to suggest the activity was related to any “vulnerability, misconfiguration, or breach of the Snowflake platform.”
Instead, the attacks appear to be part of a “broader targeted campaign targeting users with single-factor authentication,” Snowflake said. “As part of this campaign, threat actors leveraged credentials previously purchased or obtained through malware to steal information,” and used them to access customer accounts, the cloud storage vendor said.
David Bradbury, chief security officer (CSO) at Okta, says recent incidents highlight the importance of ensuring that software-as-a-service (SaaS) applications within corporate environments have phishing-resistant MFA as well as network IP restrictions that limit access from trusted locations. Just. “However, the limitations of MFA and incoming IP are not sufficient in and of themselves,” he adds.
Attackers are increasingly focusing on the post-authentication phase Attacks that bypass MFA completely, He says. An attacker who can't steal a user's credentials will focus on stealing proof of authentication, which is why security mechanisms like session token binding are vital for SaaS applications, Bradbury says.
Based on the information available so far, it does not appear that the Snowflake data leak was the result of any error on the part of the cloud vendor. Instead, this appears to be a failure on the part of victim organizations to follow basic cloud configuration and security lines, says Michael LeBorg, chief information security officer at Swimlane.
Shared responsibility model for cloud security
Under the most current shared cloud responsibility models, The cloud vendor and customer typically share responsibility for identity and access management (IAM) and MFA enforcement. But ultimately, it's up to customers to follow the provider's best practices, configuration and implementation guidelines to mitigate risks to data, LeBorg says.
“I think providers should implement MFA and least privilege Trust is zero by default “To help customers on their digital transformation journey. If an exception is made to circumvent the configuration baseline, other compensation controls should be a requirement.”
However, Patrick Tickett, vice president of security and architecture at Keeper Security, says it's unreasonable to expect cloud providers to implement mandatory MFA procedures and other default secure practices in all cases.
“Every organization has unique security requirements and preferences, and standardized security measures can limit the flexibility and customization that customers seek from cloud services,” he says. “In addition, some customers may already have robust security protocols in place or may prefer to implement their own security measures, tailored to their specific needs.”
However, the Ticketmaster and Santander breaches show that organizations must be aware of the potential risks in relying on their own security measures, and be aware of the fact that weak or absent authentication mechanisms are prime targets for hackers to gain unauthorized access.
“As cloud adoption continues to grow, and more organizations move their operations to the cloud, it is essential for both cloud providers and customers to prioritize security and implement robust measures to protect against cyber threats,” says Tikait.
