Snowflake and Data Breaches

Written By Shay Colson

6–3–2024 (Monday)

Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, June 3, 2024, and, if you’re anything like me, you’re also struggling to believe that it’s already June, but here we are nonetheless.

Snowflake and Data Breaches

You know, I thought about trying to come up with a clever headline around a blizzard or a storm or whatever to talk about the issues that we’ve seen crop up over the last week around next-generation database provider Snowflake, but I think the seriousness and the scale of the issue made it hard to joke about.

For those not following this issue as closely, last week, Ticketmaster (a Live Nation business), announced a data breach impacting 560 million people  - perhaps the largest data breach ever.

They indicate that their database was stolen while it was hosted by Snowflake. The issue appears to be serious enough that it’s getting attention from governments, including the Australian Signals Directorate, who issued a High Alert encouraging “organisations who utilise Snowflake should reset credentials for active accounts, disable non-active accounts, enable Multi-Factor Authentication (MFA), and review user activity.”

Snowflake have themselves published an “advisory” - without admitting there’s been an incident - though they do use the terms “threat activity,” are publishing Indicator of Compromise (or IOC) data, and appear to acknowledge that the tool the threat actors are using to scrape this data has been coined “rapeflake.”

Not a good look, all around.

Unfortunately, it appears that Snowflake themselves have some security defaults that may allow this sort of behavior to take place - including allowing single-factor authentication and making the process to enroll and enforce multi-factor authentication cumbersome.

This issue - of third-party risk - is one that we continue to see challenges around, but perhaps not yet at this scale.

Third-party cyber risk management is complex but not complicated in the sense that your goal should be to ensure that data or access your third parties have is at least as secure as it is within your own environment.

The complexities come into play when you start looking at what data you have, where it is, how sensitive it is, and how it flows in and out of your organization - and then evaluating and ensuring the security measures around those users and systems - especially in the cloud.

In the case of Snowflake, if your users are single-factor, and not integrating with your Single-Sign On, you are essentially trusting them to have a secure password, that’s rotated regularly, that hasn’t been reused, and that you can reliably track down to remove access when they leave your organization.

MFA goes a long way, and while we often say about third parties that “you can outsource the work but can’t outsource the responsibility,” I think what we’re seeing here is that third-parties will be quick to blame users when the chips are down - even if they made decisions that prioritized usability, growth, or profitability over security.

If you need proof, Snowflake closed the trading session today up by more than a half a percent, while Live Nation is down 1.71% in the last 5 days.

This may also be a reminder about why Microsoft’s CEO Satya Nadella had to issue a reminder to the entire company to always choose security.

Reports are continuing to indicate that there’s more to the story here on Snowflake and the extent of the breach, so we’re likely not done with this chat yet. Researchers at Hudson Rock indicate that this same attack was behind the breach at Santander Bank - though the article has since been removed and Hudson Rock notes they’ve done so “in accordance to a letter we received from Snowflake’s legal counsel”.

Meanwhile:

  • MFA everything, everywhere, every time;

  • Capture logs and retain them for a year;

  • Remove unused accounts and services;

  • Make sure that data leaving the org is at least as secure as it is when you’re holding it;

  • If you don’t need it, delete it.

Fundraising

Big week for fundraising, with the total of newly committed capital exceeding $29.2B

The majority of this made up of the big new funds from Energy Capital Partners - with $6.7B for their fifth flagship fund and associated co-investment vehicles - while Goldman Sachs Alternatives raised $13.1B for it’s fifth senior direct lending fund, plus nearly $7B in associated commitments.

As we mentioned last week, lots of factors at play for these new funds, so kudos to those who have raised. The rest of us are watching the 8-K filings with the SEC to see which public companies have been caught up in the Snowflake issue.

You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.

Links

https://techcrunch.com/2024/05/31/live-nation-confirms-ticketmaster-was-hacked-says-personal-information-stolen-in-data-breach/?guccounter=1

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/increased-cyber-threat-activity-targeting-snowflake-customers

https://community.snowflake.com/s/article/Communication-ID-0108977-Additional-Information

https://web.archive.org/web/20240531225301/https://www.hudsonrock.com/blog/snowflake-massive-breach-access-through-infostealer-infection

https://www.linkedin.com/posts/hudson-rock_activity-7203433945919578113-RH05/

https://www.theverge.com/24148033/satya-nadella-microsoft-security-memo

Shay Colson
Previous

Snowflake and Data Breaches, Part 2
Next

Supply Chain Attack or AI Feature?