Recent reports have highlighted a troubling trend: multiple organizations using Snowflake’s cloud environment have experienced significant data breaches. Although initially sporadic, by May it became evident that these incidents were part of a broader wave of cyberattacks that hit high-profile companies, exposing millions of records. The breaches often involved info-stealing campaigns that compromised login credentials for Snowflake users, enabling unauthorized access to sensitive data.

Event Details

The breach affecting Ticketmaster gained widespread attention when it was revealed in late May that 560 million records had been stolen, allegedly including names, addresses, phone numbers, and partial credit card information. The hackers, operating under the name ShinyHunters, attempted to sell this data on the criminal marketplace BreachForums. To pressure Ticketmaster into compliance, another hacker group, Sp1derHunters, published thousands of “print-at-home” concert tickets for major artists.

Another victim, the multinational bank Santander, reported unauthorized access in its database environment. Although Santander did not explicitly link the incident to Snowflake, clues point in that direction, especially as both companies use Snowflake for cloud data storage. This breach reportedly impacted more than 30 million customer records from branches in Chile, Spain, and Uruguay.

Reactions and Consequences

The attacks prompted Snowflake and affected companies to clarify the breach’s origins. Snowflake’s Chief Information Security Officer (CISO) emphasized that the breaches were not caused by a vulnerability or misconfiguration in their platform. Rather, the attackers gained entry by exploiting unrotated login credentials and environments without multifactor authentication (MFA) or network allow-lists—security gaps that left accounts vulnerable.

Cybersecurity researchers at Mandiant and Mitiga confirmed that these attacks likely involved groups leveraging outdated login information, exploiting the lack of security protocols. Although Snowflake has since rolled out a feature for mandatory MFA, it remains the responsibility of each company to activate it.

Key Insights

These incidents offer crucial lessons about cybersecurity in cloud environments, especially for companies that may assume security is entirely the provider’s responsibility. The breaches at Ticketmaster and Santander underline a few critical points:

1. Customer Responsibility in Security: The “shared responsibility model” of cloud security places some duties on customers. Snowflake’s stance reminds users that platform-level security cannot compensate for weak access protocols on the customer’s end.

2. Importance of Regular Credential Rotation: Cybercriminals leveraged old, unrotated login credentials to access systems. Regularly updating passwords and implementing MFA can significantly reduce such risks.

3. Impact of Inadequate Security Protocols: The absence of basic security measures like MFA and network allow-lists is a glaring issue, especially for companies managing millions of sensitive records. These gaps underscore the importance of a proactive approach to cybersecurity.

   
   

How to Move Forward: Strengthening Cybersecurity Protocols

To prevent future breaches and minimize risks, organizations must reinforce their cybersecurity frameworks. Implementing a structured cybersecurity maturity model, like Enterra’s, can provide a roadmap for organizations to strengthen their security postures incrementally. Enterra’s Cybersecurity Maturity Model helps organizations evolve their security measures in stages:

• Basic Stage: Fundamental security measures like password policies and basic antivirus software are implemented, reducing risks for common attacks.

• Coordinated Stage: Organizations at this level use tools like multifactor authentication, Security Information and Event Management (SIEM) systems, and access management to secure accounts. Ticketmaster and Santander would likely have benefited from these added defenses to prevent unauthorized access to their data.

• Proactive Stage: With advanced threat detection and monitoring systems in place, organizations can detect suspicious activity and respond swiftly.

• Adaptive Stage: The highest level of maturity incorporates AI and Zero Trust models, enabling dynamic responses to evolving threats and establishing highly resilient systems.

For companies facing high volumes of sensitive data, progressing through these stages enhances resilience and mitigates the risk of breaches.

Protocols for Improved Security

To safeguard sensitive data, companies should implement these essential protocols:

1. Mandatory MFA and Regular Password Rotation: MFA adds a critical layer of security, and routine password updates prevent unauthorized access through stale credentials.

2. Network Allow-Lists: Limit access to trusted IP addresses to prevent unwanted logins from unverified sources.

3. Routine Audits and Security Testing: Regularly audit systems for potential vulnerabilities, especially within cloud environments, and engage in security testing to validate protections.

4. Supply Chain Security: Ensure that all vendors meet high-security standards to mitigate risks from third-party dependencies.

5. Incident Response Plan: Establish a robust response plan and conduct regular simulations to ensure rapid recovery in case of a breach.

   
   

A Call to Action: Strengthen Cloud Security Now

The Snowflake breaches underscore the urgent need for organizations to treat cybersecurity as an ongoing commitment. By moving through a cybersecurity maturity model, companies can progressively enhance their defenses, adapting to evolving threats and ensuring that sensitive data remains secure. These steps, though simple, offer powerful protection and are crucial to prevent the significant damage caused by data breaches.

Enterra’s model provides a structured path for organizations looking to reinforce their cybersecurity, reminding us that vigilance and preparedness are key to navigating the complex landscape of cloud security. For companies managing large volumes of sensitive data, these protections are essential not just for operational continuity, but for maintaining the trust of their customers and partners in an increasingly digital world.