As organisations more and more migrate to the cloud, securing delicate knowledge has by no means been extra essential. Whereas cloud computing presents flexibility and scalability, it additionally opens the door to a spread of safety dangers.
From easy misconfigurations to complicated insider threats, cloud safety breaches have price firms enormous sums of cash and compromised tens of millions of customers’ non-public data. On this article, we discover 10 high-profile cloud safety failures, every one offering an important lesson within the significance of sturdy safety practices. These real-life incidents function cautionary tales for companies counting on cloud companies, providing key takeaways to assist forestall the following main breach.
Right here’s what went improper, what may have been executed in a different way and the way firms can fortify their defences towards the ever-evolving panorama of cloud safety threats.
1. Dropbox (2012)
Incident: A hacker obtained Dropbox consumer credentials by way of a third-party breach and accessed customers’ cloud-stored information, exposing tens of millions of accounts.
Response: A Dropbox investigation decided that usernames and passwords stolen from different web sites had been used to sign up to “a small quantity” of Dropbox accounts. The corporate contacted these customers, providing to assist them shield their accounts.
Aditya Agarwal, then VP of engineering at Dropbox, mentioned: “A stolen password was additionally used to entry an worker Dropbox account containing a venture doc with consumer e-mail addresses. We consider this improper entry is what led to the spam.” He added that Dropbox was placing extra controls in place to assist be sure that there was no repeat of the problem.
The cloud storage agency opted to introduce two-factor authentication (2FA) and enhanced safety monitoring to stop future breaches. Later, in 2016, it was revealed that the breach had affected greater than 68 million consumer accounts. Dropbox prompted customers who hadn’t modified their passwords since 2012 to take action as a precautionary measure.
Lesson: The significance of robust, multi-factor authentication (MFA) and monitoring for uncommon login exercise.
2. Snapchat (2014)
Incident: Snapchat’s cloud-based infrastructure was compromised resulting from vulnerabilities in the best way it dealt with consumer knowledge. Hackers exploited cloud methods and leaked tens of millions of photographs.
Response: On this knowledge leak, sometimes called “The Snappening, Snapchat itself was circuitously hacked. As an alternative, third-party apps that saved Snapchat photographs had been compromised. A spokesperson for the corporate mentioned: “Snapchatters had been victimised by their use of third-party apps to ship and obtain Snaps.
We expressly prohibit third-party apps that entry our service, as they compromise customers’ safety.” Snapchat warned customers towards third-party apps and improved its safety insurance policies to assist forestall unauthorised entry.
Lesson: Correct safety measures for consumer knowledge and picture dealing with in cloud storage can forestall mass knowledge leaks.
3. Uber (2016)
Incident: Hackers accessed Uber’s cloud-based storage and obtained private knowledge of 57 million customers and drivers. Uber initially didn’t report the breach.
Response: Uber executives finally commented on the breach in 2017, however solely after it had been made public. The transportation agency confirmed that 57 million accounts had been compromised, together with names, e-mail addresses and cellphone numbers of customers and drivers. As an alternative of reporting the breach on the time, Uber paid the hackers $100,000 below the guise of a bug bounty to delete the info and stay silent.
In November 2017, Dara Khosrowshahi, who grew to become Uber’s CEO after the breach, admitted Uber’s failure to reveal the incident sooner. He mentioned: “None of this could have occurred, and I cannot make excuses for it. We’re altering the best way we do enterprise. We’re taking steps to make sure that we do the precise factor going ahead.”
Joe Sullivan, Uber’s CSO through the breach, was later fired and charged with masking up the hack. Prosecutors accused him of obstructing justice by misclassifying the breach as a bug bounty fee. Throughout his 2022 trial, Sullivan defended his actions, stating: “I used to be following the processes that had been in place at Uber on the time.”
Nevertheless, he was discovered responsible of obstructing justice, marking the primary time a safety government was convicted for mishandling a knowledge breach. After this scandal, Uber strengthened its safety insurance policies and reached a $148m settlement for failing to reveal the breach.
Lesson: Frequently monitor and safe cloud storage, implement strict entry management, and guarantee correct incident response protocols.
4. AWS S3 Breach (2017)
Incident: A large knowledge leak occurred when firms mistakenly left AWS S3 buckets publicly accessible. This uncovered delicate knowledge reminiscent of buyer data, inner enterprise paperwork, and personal communications.
Response: AWS emphasised that the breaches weren’t resulting from vulnerabilities in AWS itself, however relatively misconfigurations by clients who inadvertently left their S3 storage buckets publicly accessible.
The cloud computing supplier issued an announcement clarifying that these breaches had been the results of consumer error, explaining: “Amazon S3 is safe by default, and bucket entry is managed by the shopper. We offer clear steerage and instruments for patrons to configure their assets securely.”
AWS continued to roll out additional safety features and enhancements to assist clients shield their knowledge.
The next 12 months, the AWS CISO, Stephen Schmidt (AWS CISO), addressed these considerations at AWS re:Invent 2017. He mentioned: “The primary safety threat we see at present remains to be misconfiguration. We strongly encourage clients to make the most of encryption, IAM insurance policies and entry management options to stop unintentional publicity.”
Lesson: All the time configure entry permissions rigorously and repeatedly audit cloud storage for safety dangers.
5. Accenture (2017)
Incident: Accenture by accident uncovered its inner cloud databases, which contained delicate consumer data, together with passwords, resulting from weak safety configurations.
Response: Upon discovery, Accenture promptly secured the uncovered knowledge and acknowledged: “There was no threat to any of our purchasers – no lively credentials, PII, or different delicate data was compromised.”
It additional clarified that the uncovered data didn’t grant entry to consumer methods and was not associated to manufacturing knowledge or purposes.
Lesson: All the time encrypt delicate knowledge and punctiliously handle entry to cloud-based infrastructure.
6. GitHub (2018)
Incident: GitHub skilled an enormous DDoS assault that leveraged the cloud’s skill to scale. The assault overwhelmed GitHub’s infrastructure, however the incident confirmed how cloud companies can each allow and mitigate large-scale assaults.
Response: This DDoS assault was one of many largest ever recorded on the time, peaking at 1.35 terabits per second (Tbps). It was a memcached amplification assault, which leveraged unsecured memcached servers to flood GitHub’s infrastructure with site visitors.
After efficiently mitigating the assault, GitHub’s engineering workforce printed a weblog publish detailing the incident. It acknowledged: “Between 17:21 and 17:30 UTC, GitHub was impacted by a record-breaking volumetric DDoS assault. We briefly skilled intermittent availability, however our methods routinely mitigated the assault. We modeled our DDoS response capabilities on earlier assaults and instantly routed site visitors to our DDoS mitigation supplier.”
GitHub engineer Sam Kottler added: “This was the most important DDoS assault we – and the world – had ever seen on the time. Cloud-based mitigation methods helped take up the large inflow of site visitors.”
Lesson: Cloud companies are extremely scalable, but it surely’s important to have DDoS mitigation methods in place, even in cloud environments.
7. Capital One (2019)
Incident: A misconfigured AWS S3 bucket uncovered delicate knowledge from over 100 million clients. A former AWS worker exploited a vulnerability, accessing private data, credit score scores and banking particulars.
Response: On July 29, 2019, Capital One introduced that on July 19, 2019, it had decided there was unauthorised entry by an outdoor particular person who obtained sure varieties of private data regarding individuals who had utilized for its bank card merchandise and to Capital One bank card clients.
Capital One mentioned it instantly mounted the configuration vulnerability that was exploited and promptly started working with federal legislation enforcement. The person chargeable for the breach was arrested by the FBI, and Capital One supplied free credit score monitoring and identification safety to these affected.
Lesson: The significance of correct configuration administration and entry management in cloud companies.
8. Microsoft (2019)
Incident: In 2019, Microsoft uncovered tens of millions of buyer help data resulting from misconfigured cloud storage settings. The info was saved in Azure Blob Storage, and it was found that the data, which included buyer help tickets and different delicate data, had been publicly accessible resulting from improper safety configurations.
Response: Microsoft rapidly secured the uncovered knowledge and acknowledged {that a} third-party vendor was chargeable for the error. They clarified that the info was not accessed by malicious actors however was publicly seen as a result of misconfiguration. Microsoft labored to stop related incidents sooner or later by tightening safety protocols for cloud storage.
Lesson: This incident highlights the essential significance of accurately configuring cloud storage and imposing correct entry controls. Common safety audits and monitoring are essential to determine and repair vulnerabilities earlier than they are often exploited.
9. Fb (2019)
Incident: Fb uncovered over 540 million data by way of unsecured cloud storage, together with knowledge reminiscent of consumer feedback, likes, and reactions, making it susceptible to exterior entry.
Response: After the publicity was found, Fb acknowledged that third-party builders had been chargeable for the unsecured storage. Fb clarified that the info was circuitously leaked from its personal methods however was the results of improper safety practices by app builders who used Fb’s APIs to gather consumer knowledge.
Fb reportedly labored to inform the third-party builders and inspired them to repair the safety vulnerabilities. It additionally restricted entry to the API that allowed apps to gather such knowledge, making it tougher for future knowledge leaks to happen resulting from misconfigurations.
Lesson: Guarantee cloud storage is accurately configured and implement encryption to guard knowledge at relaxation.
10. Slack (2020)
Incident: Slack’s cloud infrastructure was compromised after an worker’s API token was uncovered publicly. This allowed unauthorised entry to delicate company knowledge.
Response: Slack acknowledged the breach and supplied particulars to clients on how the incident was dealt with. It emphasised that the incident was restricted in scope and didn’t result in a broader compromise of their infrastructure.
In a weblog publish it acknowledged: “We’ve got decided that the incident was the results of an uncovered API token. It allowed unauthorised entry to sure components of our system. The problem has been absolutely resolved and the uncovered token has been invalidated.”
The corporate additionally harassed that no delicate consumer knowledge (reminiscent of non-public messages or account credentials) was uncovered within the breach.
Slack up to date its safety practices round API token administration, encouraging organisations to make use of safer strategies for dealing with API tokens and to undertake extra authentication measures to stop future incidents.
Lesson: Frequently monitor and rotate API tokens and keys to mitigate the chance of misuse.
Picture by Akash Kumar from Pixabay
Wish to study extra about cybersecurity and the cloud from business leaders? Try Cyber Security & Cloud Expo going down in Amsterdam, California, and London.
Discover different upcoming enterprise know-how occasions and webinars powered by TechForge here.
