Snowflake breach: What happened?

And could it have been avoided?

What happened with the Snowflake breach? 34 million users (already) were recently compromised in a data breach of the cyber security firm Cylance.

Attackers breached Cylance by attacking a third-party vendor of theirs, known as Snowflake. The breach affected over 34 million users compromising emails and personal information. So it has significant implications, especially since the stolen information is already being sold on the dark web.

Snowflake Inc. is an American cloud computing–based data cloud company based in Bozeman, Montana. The firm offers a cloud-based data storage and analytics service, generally termed "data-as-a-service".

Snowflake breach: What happened?

On May 23, 2024, Snowflake publicly disclosed a breach, confirming that certain customer accounts had been compromised.

Snowflake’s internal security team found unauthorized access to their systems, discovering the breach. Exploiting a weakness in Snowflake’s voluntary authentication process (lack of multi-factor authentication), the attackers circumvented security protocols, and were able to access sensitive data.

This situation has had an intense ripple effect. As a result, up to 10 companies are grappling with ransom demands ranging from $300,000 to $5 million. Mandiant, involved in Snowflake’s response efforts, reported that the hacking campaign has escalated, with ransom demands increasing and even death threats directed at cybersecurity professionals investigating the incident. The hackers exploited vulnerabilities in Snowflake users’ single-factor authentication methods to gain unauthorized access. Mandiant expects the ransomware group to keep up their attempts to extort additional victims.

Who’s Impacted in the Snowflake breach?

According to this article, a threat actor linked to the Snowflake campaign disclosed accessing data from a large number of companies. The list includes Ticketmaster, Anheuser-Busch, Allstate, Advance Auto Parts, Mitsubishi, Neiman Marcus, Progressive, Santander Bank, and State Farm.

What have investigations revealed so far?

According to Channel Insider, investigations have so far determined that Snowflake’s multi-factor authentication policy (or lack there of) is the most likely reason for how large the breach has become so far.

Security experts strongly recommend Multi-factor authentication (MFA). With MFA, users must have secondary methods of verifying their identity, in addition to usernames and passwords. There are a few ways to set MFA up, and each translates to a different level of security:

  1. Most secure: Biometric (face, fingerprint, etc)
  2. Second most secure: Authenticator app (Duo, Authy, Google, etc)
  3. Least secure: Text or email (most easily intercepted by cyber criminals).

According to Snowflake’s community FAQs, “No, MFA can’t be enforced for a role. MFA is enabled on a per-user basis; however, at this time, users are not automatically enrolled in MFA. To use MFA, users must enroll themselves.”

Therefore, companies that used Snowflake should have properly vetted that the user policy didn’t require MFA. So, if they had wanted to protect themselves and their own users, they should have had the opportunity to enforce it themselves.

Neglecting to enable MFA created significant vulnerabilities and increase cyber risk, possibly providing attackers with a way to “open the door” to sensitive data.

What could Snowflake have done differently (that we can learn from?)

This event is a scary reminder of why effective information security policies and practices are critical in today’s cyber landscape. It emphasizes the importance to have regularly scheduled security consultations. You can then review and enhance security protocols, be transparent with customers, and remain vigilant against cyber risks.

Snowflake swiftly reacted in addressing the vulnerability. This included launching a comprehensive investigation, and partnering with cybersecurity specialists to ascertain the breach’s complete scope. Additionally, they promptly informed impacted customers and regulatory authorities in adherence to compliance standards.

Although worrying, Snowflake’s breach provides an opportunity to learn how to improve current information security measures – both for the industry as well as organizations. It underscores the importance of pre-emptive security measures, the necessity for immediate and efficient response procedures, and the key role of continuous monitoring in safeguarding business data.

As Snowflake begins to rebuild trust, businesses must similarly assess their cyber defence strategies to improve their security posture.

You can read more here: “The Snowflake Attack May Be Turning Into One Of The Largest Data Breaches Ever”.

As a final take-away, supply-chain risk refers to every business from which you procure services and materials. The easiest way to understand that risk (and therefore handle it), is to conduct a vendor risk assessment before starting to do business with any company.