Over the long weekend, reports and warnings surfaced that artificial intelligence cloud storage provider Snowflake had been breached, with large amounts of personal customer information being taken and put up for sale by unknown cyber criminals.
There is confusion as to what actually happened, with Snowflake saying that while there is a "targeted threat campaign" against some of its customer accounts, there is no evidence it's due to the AI cloud storage provider or its staff being compromised by hackers.
Instead, Snowflake said the breach took place through purchased and info stealer-malware obtained login credentials. Snowflake has hired security vendor Mandiant and its partner company Crowdstrike to figure out what's happened, and to alert affected customers.
Meanwhile, customers are being told to bump up their security and add multi-factor authentication now, as well as resetting credentials and limiting access to the data stores.
The number of customers affected isn't yet know, but Live Nation owned Ticketmaster has informed the United States Securities and Exchange Commission (SEC) watchdog of the data breach:
On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorised activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster LLC subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened. On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorised access to personal information.
How many people are affected is unclear at the moment, but TechCrunch reported that "ShinyHunters" are offering for sale personal data of some 560 million customers on cybercrime site BreachForums, for half a million US dollars.
New Breach from ShinyHunters. Selling the database of @LiveNation / @Ticketmaster for $500k. Over 1.3TB of data consisting of 560 million customers full details (name, address, email, phone), order details, cc detail - customer, last 4, exp date. @DarkWebInformer @troyhunt pic.twitter.com/oTBUI9NkVc
— James H (@milkshakesbot) May 28, 2024
A small data sample tested by TechCrunch turned out to be real. Why Ticketmaster stored user data on Snowflake has not yet been explained.
As an un-related aside, news of the data breach couldn't have come at a worse time for Live Nation, which is under fire in the US where authorities have sued it for being a monopolist, demanding the Ticketmaster parent is broken up.
Spanish-owned Banco Santander was also breached, and has apologised for the incident which appears to have led to personal data of customers and staff being leaked:
Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain and Uruguay, as well as all current and some former Santander employees of the group had been accessed. Customer data in all other Santander markets and businesses are not affected.
No transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords. The bank's operations and systems are not affected, so customers can continue to transact securely.
The incident sparked an urgent alert from the Australian Signals Directorate spooks, saying its Cyber Security Centre (ACSC) is tracking the threat and is "aware of successful compromises of several companies utilising Snowflake environments".
This is a developing story. We are waiting to hear how many "several companies" represents. Snowflake lists some of the world's biggest brands as customers, including many very prominent enterprises in New Zealand and Australia. More to come.
8 Comments
Holy cow, if snowflake has been hacked... that's a lot of businesses all over the world that will have their identity information exposed. And if they are using the same login info for multiple software or networks (which is terrible security practice, but happens), then its all on. That login info could cause significant damage.
Normally shareholders are fine so long as the money keeps following. Companies have insurance for tech hacks but the customers don't. Also fines to companies that lose customer data in hacks or bad staff behaviour is incredibly low, so low it is barely a foot note or a revision in the insurance premiums. It is also incredibly hard for customers to pursue damages for identity theft (even harder to prove the loss of any individual company data was behind it).
For instance take Tesla: customers were unaware Tesla staff regularly took video footage from the cars cameras from inside customer homes, capturing sexual activities of adults, naked children etc which they shared around the office for mocking. Even with the strict laws around CSAM Tesla shareholders did not blink but they got real annoyed when the share price drops or Eion wants to take out billions of dollars from the company.
In fact the customers were not aware camera footage could be recorded in their homes when the vehicle was not operating and that they had automatically agreed for the company to use it. It was still illegal for the company to abuse and lose it but the wet bus tickets that day had been dropped in the mariana trench.
I expect you will find that this is the case of the login details being breached as opposed to a bug in Snowflake being compromised. While Snowflake enable AI this is merely a feature add as opposed to the core product offering and merely a distraction from the event. Snowflake have the best security teams around and take all of this incredibly seriously.. Unlikely to be a fault on their behalf form my experience. Ticketmaster however.. there lies a problem no doubt.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.