Cookies
Close Cookie Preference Manager
Cookie Settings
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
Strictly Necessary (Always Active)
Cookies required to enable basic website functionality.
Made by Flinch 77
Oops! Something went wrong while submitting the form.

What the Snowflake Data Breaches teach us about data security

The recent data breaches of customer Snowflake instances show the importance of good data security.

In the past weeks we’ve witnessed some of the biggest data breaches of the year, and more data breaches are expected to unfold in the coming weeks. Ticketmaster was affected by a breach where 1.3 TB of customer data representing half a billion customers was exposed, and Santander reported a data breach impacting 30 million of customers. Shinyhunters, the hackers collective responsible for the breaches, is putting up the data dumps from Ticketmaster and Santander for sale at resp. USD 500K and USD 2 million.

ShinyHunters on Breach Forums claiming Ticketmaster data breach (Hackread.com)

What happened?

What exactly happened is still speculated at the time of writing. HudsonRock claimed that Snowflake’s servers got breached, which Snowflake denies in an official statement, claiming that the hackers got unauthorised access to the customers’ individual accounts using stolen credentials. 

"Research indicates that these types of attacks were performed using our customers' user credentials that were exposed through unrelated cyber threat activity."

We agree that it is way more likely that hackers got access to Snowflake environments using compromised end users’ credentials to extract enormous amounts of data, as claimed by Snowflake. This is in fact, the most common way for data breaches to occur. According to the 2024 Verizon breach report, credentials of web applications are the primary vector of attack, meaning that most data breaches take place through a hacker getting access to a web application through stolen credentials, social engineering, or credential stuffing..

Most data breaches happen through credentials of web applications (Verizon, 2024)

This type of data breaches will continue to happen. Hackers operate like any kind of other business striving for optimal ROI. With cloud data providers like Snowflake becoming household names and storing enormous amounts of sensitive data, we can expect more and more hackers investing in developing attack patterns on these providers.

What can you do?

What do you have to do? In our opinion, it will be a combination of measures. At the perimeter, Snowflake rightly recommends to:

  • Turn on Multi-Factor Authentication (MFA)
  • Rotate Passwords
  • Only allow access from trusted locations (VPN) 

These measures are aimed at preventing a data breach, but Data Teams will have to add additional lines of defence for when the breach actually occurs. 

  • Continuous monitoring to detect and remediate unauthorised access.
  • Least privilege access management to reduce the blast radius.
  • Regular reviews to remove unused long standing privileges.

Setting up these lines of defence while continuing to support the business with their demand for data and insights will be very challenging without help. 

Reach out to [email protected] to learn how we can help!

Bart

Talk to the team