As organisations more and more migrate to the cloud, securing delicate information has by no means been extra vital. Whereas cloud computing gives flexibility and scalability, it additionally opens the door to a spread of safety dangers.
From easy misconfigurations to complicated insider threats, cloud safety breaches have price corporations enormous sums of cash and compromised tens of millions of customers’ non-public data. On this article, we discover 10 high-profile cloud safety failures, every one offering an important lesson within the significance of sturdy safety practices. These real-life incidents function cautionary tales for companies counting on cloud providers, providing key takeaways to assist forestall the following main breach.
Right here’s what went flawed, what might have been achieved in another way and the way corporations can fortify their defences towards the ever-evolving panorama of cloud safety threats.
1. Dropbox (2012)
Incident: A hacker obtained Dropbox consumer credentials by a third-party breach and accessed customers’ cloud-stored recordsdata, exposing tens of millions of accounts.
Response: A Dropbox investigation decided that usernames and passwords stolen from different web sites have been used to sign up to “a small quantity” of Dropbox accounts. The corporate contacted these customers, providing to assist them defend their accounts.
Aditya Agarwal, then VP of engineering at Dropbox, mentioned: “A stolen password was additionally used to entry an worker Dropbox account containing a venture doc with consumer e mail addresses. We imagine this improper entry is what led to the spam.” He added that Dropbox was placing extra controls in place to assist be sure there was no repeat of the difficulty.
The cloud storage agency opted to introduce two-factor authentication (2FA) and enhanced safety monitoring to forestall future breaches. Later, in 2016, it was revealed that the breach had affected greater than 68 million consumer accounts. Dropbox prompted customers who hadn’t modified their passwords since 2012 to take action as a precautionary measure.
Lesson: The significance of robust, multi-factor authentication (MFA) and monitoring for uncommon login exercise.
2. Snapchat (2014)
Incident: Snapchat’s cloud-based infrastructure was compromised resulting from vulnerabilities in the way in which it dealt with consumer information. Hackers exploited cloud techniques and leaked tens of millions of photographs.
Response: On this information leak, also known as “The Snappening, Snapchat itself was indirectly hacked. As a substitute, third-party apps that saved Snapchat photographs have been compromised. A spokesperson for the corporate mentioned: “Snapchatters have been victimised by their use of third-party apps to ship and obtain Snaps.
We expressly prohibit third-party apps that entry our service, as they compromise customers’ safety.” Snapchat warned customers towards third-party apps and improved its safety insurance policies to assist forestall unauthorised entry.
Lesson: Correct safety measures for consumer information and picture dealing with in cloud storage can forestall mass information leaks.
3. Uber (2016)
Incident: Hackers accessed Uber’s cloud-based storage and obtained private information of 57 million customers and drivers. Uber initially didn’t report the breach.
Response: Uber executives finally commented on the breach in 2017, however solely after it had been made public. The transportation agency confirmed that 57 million accounts have been compromised, together with names, e mail addresses and cellphone numbers of customers and drivers. As a substitute of reporting the breach on the time, Uber paid the hackers $100,000 beneath the guise of a bug bounty to delete the info and stay silent.
In November 2017, Dara Khosrowshahi, who grew to become Uber’s CEO after the breach, admitted Uber’s failure to reveal the incident sooner. He mentioned: “None of this could have occurred, and I can’t make excuses for it. We’re altering the way in which we do enterprise. We’re taking steps to make sure that we do the fitting factor going ahead.”
Joe Sullivan, Uber’s CSO throughout the breach, was later fired and charged with protecting up the hack. Prosecutors accused him of obstructing justice by misclassifying the breach as a bug bounty fee. Throughout his 2022 trial, Sullivan defended his actions, stating: “I used to be following the processes that have been in place at Uber on the time.”
Nonetheless, he was discovered responsible of obstructing justice, marking the primary time a safety govt was convicted for mishandling an information breach. After this scandal, Uber strengthened its safety insurance policies and reached a $148m settlement for failing to reveal the breach.
Lesson: Recurrently monitor and safe cloud storage, implement strict entry management, and guarantee correct incident response protocols.
4. AWS S3 Breach (2017)
Incident: A large information leak occurred when corporations mistakenly left AWS S3 buckets publicly accessible. This uncovered delicate information akin to buyer data, inside enterprise paperwork, and personal communications.
Response: AWS emphasised that the breaches weren’t resulting from vulnerabilities in AWS itself, however slightly misconfigurations by clients who inadvertently left their S3 storage buckets publicly accessible.
The cloud computing supplier issued an announcement clarifying that these breaches have been the results of consumer error, explaining: “Amazon S3 is safe by default, and bucket entry is managed by the client. We offer clear steering and instruments for patrons to configure their sources securely.”
AWS continued to roll out additional safety features and enhancements to assist clients defend their information.
The next 12 months, the AWS CISO, Stephen Schmidt (AWS CISO), addressed these considerations at AWS re:Invent 2017. He mentioned: “The primary safety danger we see right this moment remains to be misconfiguration. We strongly encourage clients to reap the benefits of encryption, IAM insurance policies and entry management options to forestall unintentional publicity.”
Lesson: All the time configure entry permissions fastidiously and frequently audit cloud storage for safety dangers.
5. Accenture (2017)
Incident: Accenture by accident uncovered its inside cloud databases, which contained delicate consumer data, together with passwords, resulting from weak safety configurations.
Response: Upon discovery, Accenture promptly secured the uncovered information and said: “There was no danger to any of our purchasers – no energetic credentials, PII, or different delicate data was compromised.”
It additional clarified that the uncovered data didn’t grant entry to consumer techniques and was not associated to manufacturing information or purposes.
Lesson: All the time encrypt delicate information and thoroughly handle entry to cloud-based infrastructure.
6. GitHub (2018)
Incident: GitHub skilled a large DDoS assault that leveraged the cloud’s capacity to scale. The assault overwhelmed GitHub’s infrastructure, however the incident confirmed how cloud providers can each allow and mitigate large-scale assaults.
Response: This DDoS assault was one of many largest ever recorded on the time, peaking at 1.35 terabits per second (Tbps). It was a memcached amplification assault, which leveraged unsecured memcached servers to flood GitHub’s infrastructure with site visitors.
After efficiently mitigating the assault, GitHub’s engineering group printed a weblog submit detailing the incident. It said: “Between 17:21 and 17:30 UTC, GitHub was impacted by a record-breaking volumetric DDoS assault. We briefly skilled intermittent availability, however our techniques robotically mitigated the assault. We modeled our DDoS response capabilities on earlier assaults and instantly routed site visitors to our DDoS mitigation supplier.”
GitHub engineer Sam Kottler added: “This was the most important DDoS assault we – and the world – had ever seen on the time. Cloud-based mitigation methods helped soak up the huge inflow of site visitors.”
Lesson: Cloud providers are extremely scalable, however it’s important to have DDoS mitigation methods in place, even in cloud environments.
7. Capital One (2019)
Incident: A misconfigured AWS S3 bucket uncovered delicate information from over 100 million clients. A former AWS worker exploited a vulnerability, accessing private data, credit score scores and banking particulars.
Response: On July 29, 2019, Capital One introduced that on July 19, 2019, it had decided there was unauthorised entry by an outdoor particular person who obtained sure forms of private data regarding individuals who had utilized for its bank card merchandise and to Capital One bank card clients.
Capital One mentioned it instantly mounted the configuration vulnerability that was exploited and promptly started working with federal regulation enforcement. The person accountable for the breach was arrested by the FBI, and Capital One provided free credit score monitoring and identification safety to these affected.
Lesson: The significance of correct configuration administration and entry management in cloud providers.
8. Microsoft (2019)
Incident: In 2019, Microsoft uncovered tens of millions of buyer assist information resulting from misconfigured cloud storage settings. The info was saved in Azure Blob Storage, and it was found that the information, which included buyer assist tickets and different delicate data, have been publicly accessible resulting from improper safety configurations.
Response: Microsoft rapidly secured the uncovered information and acknowledged {that a} third-party vendor was accountable for the error. They clarified that the info was not accessed by malicious actors however was publicly seen as a result of misconfiguration. Microsoft labored to forestall comparable incidents sooner or later by tightening safety protocols for cloud storage.
Lesson: This incident highlights the vital significance of appropriately configuring cloud storage and imposing correct entry controls. Common safety audits and monitoring are essential to establish and repair vulnerabilities earlier than they are often exploited.
9. Fb (2019)
Incident: Fb uncovered over 540 million information by unsecured cloud storage, together with information akin to consumer feedback, likes, and reactions, making it susceptible to exterior entry.
Response: After the publicity was found, Fb acknowledged that third-party builders have been accountable for the unsecured storage. Fb clarified that the info was indirectly leaked from its personal techniques however was the results of improper safety practices by app builders who used Fb’s APIs to gather consumer information.
Fb reportedly labored to inform the third-party builders and inspired them to repair the safety vulnerabilities. It additionally restricted entry to the API that allowed apps to gather such information, making it tougher for future information leaks to happen resulting from misconfigurations.
Lesson: Guarantee cloud storage is appropriately configured and implement encryption to guard information at relaxation.
10. Slack (2020)
Incident: Slack’s cloud infrastructure was compromised after an worker’s API token was uncovered publicly. This allowed unauthorised entry to delicate company information.
Response: Slack acknowledged the breach and supplied particulars to clients on how the incident was dealt with. It emphasised that the incident was restricted in scope and didn’t result in a broader compromise of their infrastructure.
In a weblog submit it said: “We’ve decided that the incident was the results of an uncovered API token. It allowed unauthorised entry to sure elements of our system. The problem has been absolutely resolved and the uncovered token has been invalidated.”
The corporate additionally burdened that no delicate consumer information (akin to non-public messages or account credentials) was uncovered within the breach.
Slack up to date its safety practices round API token administration, encouraging organisations to make use of safer strategies for dealing with API tokens and to undertake extra authentication measures to forestall future incidents.
Lesson: Recurrently monitor and rotate API tokens and keys to mitigate the chance of misuse.
Picture by Akash Kumar from Pixabay
Need to study extra about cybersecurity and the cloud from business leaders? Take a look at Cyber Safety & Cloud Expo going down in Amsterdam, California, and London.
Discover different upcoming enterprise expertise occasions and webinars powered by TechForge right here.
