Snowflake lessons: Are you doing enough to protect your sensitive data holdings?

What happened?

Mass data breaches have become a persistent feature of the cyber threat landscape. Two recent developments provide important insights into the threat actor behaviour associated with these kinds of incidents, and the steps organisations can take to avoid them.

Since January, hundreds of customers of cloud services company Snowflake have suffered data breaches. The attackers targeted customer information held by organisations using Snowflake – over a billion individuals globally may have been affected. First, criminals stole Snowflake credentials from employees or IT contractors at organisations using Snowflake. Second, these credentials were sold on dark web marketplaces. Third, threat actors compromised Snowflake tenancies using these valid credentials. In many cases, the attacks succeeded because the compromised accounts did not have multi-factor authentication (MFA) enabled.

Very similar themes permeate the Australian Information Commissioner’s submission to the Federal Court of Australia this month – relating to a 2022 data breach of Australian health insurer Medibank. The Information Commissioner alleges that a threat actor used credential-stealing malware to steal the credentials of an employee at a “third-party IT contractor”. The Information Commissioner then alleges that a threat actor logged onto the victim’s network using “only” those stolen credentials, because MFA was not enabled at that time.?

Why now?

Data breaches are growing in severity. There is a significant illicit market for the sale of stolen data, from single credentials stolen from a personal device, through to multi-million record data breaches. Concerningly, CyberCX Intelligence is seeing an increased volume of Australian credentials for sale on cyber criminal marketplaces. This ‘initial access’ market is equipping criminals with the means to conduct more significant data breaches.

We often find stolen credentials associated with:

• employee personal devices that have been infected with credential-stealing malware and are also being used as a BYOD device for work,
• outsourced IT support and software development functions.

A single IT contractor can commonly have administrator credentials for multiple companies, making these third-party entities a lucrative target for cyber criminals. In several cases, we’ve seen dozens of admin credentials stolen from just one contractor and offered for sale for US$10 or less.

How could this impact me and my organisation?

A data breach can cause significant reputational damage and harm to customers. At the least, investigation and remediation of a major data breach is costly, and for larger organisations can easily run to more than $1M.

At the same time, regulators are increasingly signalling that they will hold organisations to account for data breaches. In its recent filing, the Information Commissioner makes clear it will consider a company’s “size, resources, the nature and volume of the personal information it held … and the risk of harm for an individual in the case of a breach” in assessing what steps should have been taken to protect personal information. The Australian Communications and Media Authority (ACMA), Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) are also increasingly forward-leaning about setting and enforcing cyber governance standards across their regulated industries.

What should I do?

Business leaders should learn from breaches happening in similar organisations and consider what’s reasonable and proportionate to the threats they face. The Snowflake breaches and Information Commissioner filing are timely reminders that organisations should:

Manage access and identity with MFA and password complexity requirements, supported by implementation of an enterprise-wide password manager. MFA should apply to key systems and services, not just corporate laptops.

Regularly review privileged access management to ensure application of minimal permissions required to undertake work. Best practice would see separation of administrative and daily use roles (email and internet browsing) across separate accounts.

Consider dark web monitoring to identify if your organisation’s user credentials have been stolen and are being sold by criminal initial access brokers.

Conduct security assurance testing to ensure that security policies such as MFA are sufficient and being adhered to – and implement remedial measures where gaps are identified.

Manage BYOD risk by minimising activities undertaken on non-corporate infrastructure. Expand your monitoring perimeter to include BYOD devices or require a security agent to be installed on them.

Security starts in the c-suite. Executives are high-value targets. Well-connected, they’re gateways to their organisation, sensitive information and professional network. High-profile, they’re easy to find. Trusted and influential, their brand is readily exploited. C-Suite Cyber helps business leaders master their cyber risk.

About CyberCX Intelligence

CyberCX Intelligence is a uniquely Australia and New Zealand focused capability. We have the information, access and context to give executives a decision advantage – whether that’s minimising their personal risk or leading their organisation’s risk posture.

Want more? Contact [email protected] to explore how you could partner with cyber intelligence experts who speak your business language and know your sector. You can also subscribe to Cyber Adviser, our bite-sized monthly intelligence newsletter.