As organisations more and more migrate to the cloud, securing delicate information has by no means been extra vital. Whereas cloud computing presents flexibility and scalability, it additionally opens the door to a spread of safety dangers.
From easy misconfigurations to advanced insider threats, cloud safety breaches have value corporations big sums of cash and compromised tens of millions of customers’ non-public data. On this article, we discover 10 high-profile cloud safety failures, every one offering an important lesson within the significance of strong safety practices. These real-life incidents function cautionary tales for companies counting on cloud companies, providing key takeaways to assist stop the following main breach.
Right here’s what went flawed, what may have been performed in a different way and the way corporations can fortify their defences towards the ever-evolving panorama of cloud safety threats.
1. Dropbox (2012)
Incident: A hacker obtained Dropbox consumer credentials via a third-party breach and accessed customers’ cloud-stored recordsdata, exposing tens of millions of accounts.
Response: A Dropbox investigation decided that usernames and passwords stolen from different web sites have been used to register to “a small quantity” of Dropbox accounts. The corporate contacted these customers, providing to assist them defend their accounts.
Aditya Agarwal, then VP of engineering at Dropbox, stated: “A stolen password was additionally used to entry an worker Dropbox account containing a undertaking doc with consumer e-mail addresses. We consider this improper entry is what led to the spam.” He added that Dropbox was placing extra controls in place to assist be sure that there was no repeat of the problem.
The cloud storage agency opted to introduce two-factor authentication (2FA) and enhanced safety monitoring to stop future breaches. Later, in 2016, it was revealed that the breach had affected greater than 68 million consumer accounts. Dropbox prompted customers who hadn’t modified their passwords since 2012 to take action as a precautionary measure.
Lesson: The significance of robust, multi-factor authentication (MFA) and monitoring for uncommon login exercise.
2. Snapchat (2014)
Incident: Snapchat’s cloud-based infrastructure was compromised attributable to vulnerabilities in the way in which it dealt with consumer information. Hackers exploited cloud programs and leaked tens of millions of pictures.
Response: On this information leak, also known as “The Snappening, Snapchat itself was circuitously hacked. As an alternative, third-party apps that saved Snapchat pictures have been compromised. A spokesperson for the corporate stated: “Snapchatters have been victimised by their use of third-party apps to ship and obtain Snaps.
We expressly prohibit third-party apps that entry our service, as they compromise customers’ safety.” Snapchat warned customers towards third-party apps and improved its safety insurance policies to assist stop unauthorised entry.
Lesson: Correct safety measures for consumer information and picture dealing with in cloud storage can stop mass information leaks.
3. Uber (2016)
Incident: Hackers accessed Uber’s cloud-based storage and obtained private information of 57 million customers and drivers. Uber initially didn’t report the breach.
Response: Uber executives ultimately commented on the breach in 2017, however solely after it had been made public. The transportation agency confirmed that 57 million accounts have been compromised, together with names, e-mail addresses and telephone numbers of customers and drivers. As an alternative of reporting the breach on the time, Uber paid the hackers $100,000 beneath the guise of a bug bounty to delete the information and stay silent.
In November 2017, Dara Khosrowshahi, who turned Uber’s CEO after the breach, admitted Uber’s failure to reveal the incident sooner. He stated: “None of this could have occurred, and I can’t make excuses for it. We’re altering the way in which we do enterprise. We’re taking steps to make sure that we do the proper factor going ahead.”
Joe Sullivan, Uber’s CSO in the course of the breach, was later fired and charged with protecting up the hack. Prosecutors accused him of obstructing justice by misclassifying the breach as a bug bounty fee. Throughout his 2022 trial, Sullivan defended his actions, stating: “I used to be following the processes that have been in place at Uber on the time.”
Nevertheless, he was discovered responsible of obstructing justice, marking the primary time a safety govt was convicted for mishandling an information breach. After this scandal, Uber strengthened its safety insurance policies and reached a $148m settlement for failing to reveal the breach.
Lesson: Often monitor and safe cloud storage, implement strict entry management, and guarantee correct incident response protocols.
4. AWS S3 Breach (2017)
Incident: A large information leak occurred when corporations mistakenly left AWS S3 buckets publicly accessible. This uncovered delicate information comparable to buyer data, inside enterprise paperwork, and personal communications.
Response: AWS emphasised that the breaches weren’t attributable to vulnerabilities in AWS itself, however relatively misconfigurations by clients who inadvertently left their S3 storage buckets publicly accessible.
The cloud computing supplier issued an announcement clarifying that these breaches have been the results of consumer error, explaining: “Amazon S3 is safe by default, and bucket entry is managed by the shopper. We offer clear steerage and instruments for purchasers to configure their assets securely.”
AWS continued to roll out additional security measures and enhancements to assist clients defend their information.
The next 12 months, the AWS CISO, Stephen Schmidt (AWS CISO), addressed these issues at AWS re:Invent 2017. He stated: “The primary safety threat we see at the moment remains to be misconfiguration. We strongly encourage clients to benefit from encryption, IAM insurance policies and entry management options to stop unintentional publicity.”
Lesson: At all times configure entry permissions fastidiously and recurrently audit cloud storage for safety dangers.
5. Accenture (2017)
Incident: Accenture by chance uncovered its inside cloud databases, which contained delicate consumer data, together with passwords, attributable to weak safety configurations.
Response: Upon discovery, Accenture promptly secured the uncovered information and acknowledged: “There was no threat to any of our shoppers – no lively credentials, PII, or different delicate data was compromised.”
It additional clarified that the uncovered data didn’t grant entry to consumer programs and was not associated to manufacturing information or functions.
Lesson: At all times encrypt delicate information and thoroughly handle entry to cloud-based infrastructure.
6. GitHub (2018)
Incident: GitHub skilled a large DDoS assault that leveraged the cloud’s capacity to scale. The assault overwhelmed GitHub’s infrastructure, however the incident confirmed how cloud companies can each allow and mitigate large-scale assaults.
Response: This DDoS assault was one of many largest ever recorded on the time, peaking at 1.35 terabits per second (Tbps). It was a memcached amplification assault, which leveraged unsecured memcached servers to flood GitHub’s infrastructure with visitors.
After efficiently mitigating the assault, GitHub’s engineering workforce printed a weblog put up detailing the incident. It acknowledged: “Between 17:21 and 17:30 UTC, GitHub was impacted by a record-breaking volumetric DDoS assault. We briefly skilled intermittent availability, however our programs robotically mitigated the assault. We modeled our DDoS response capabilities on earlier assaults and instantly routed visitors to our DDoS mitigation supplier.”
GitHub engineer Sam Kottler added: “This was the most important DDoS assault we – and the world – had ever seen on the time. Cloud-based mitigation methods helped soak up the huge inflow of visitors.”
Lesson: Cloud companies are extremely scalable, however it’s important to have DDoS mitigation methods in place, even in cloud environments.
7. Capital One (2019)
Incident: A misconfigured AWS S3 bucket uncovered delicate information from over 100 million clients. A former AWS worker exploited a vulnerability, accessing private data, credit score scores and banking particulars.
Response: On July 29, 2019, Capital One introduced that on July 19, 2019, it had decided there was unauthorised entry by an out of doors particular person who obtained sure kinds of private data regarding individuals who had utilized for its bank card merchandise and to Capital One bank card clients.
Capital One stated it instantly fastened the configuration vulnerability that was exploited and promptly started working with federal regulation enforcement. The person chargeable for the breach was arrested by the FBI, and Capital One provided free credit score monitoring and identification safety to these affected.
Lesson: The significance of correct configuration administration and entry management in cloud companies.
8. Microsoft (2019)
Incident: In 2019, Microsoft uncovered tens of millions of buyer assist data attributable to misconfigured cloud storage settings. The info was saved in Azure Blob Storage, and it was found that the data, which included buyer assist tickets and different delicate data, have been publicly accessible attributable to improper safety configurations.
Response: Microsoft shortly secured the uncovered information and acknowledged {that a} third-party vendor was chargeable for the error. They clarified that the information was not accessed by malicious actors however was publicly seen as a result of misconfiguration. Microsoft labored to stop comparable incidents sooner or later by tightening safety protocols for cloud storage.
Lesson: This incident highlights the vital significance of accurately configuring cloud storage and imposing correct entry controls. Common safety audits and monitoring are essential to determine and repair vulnerabilities earlier than they are often exploited.
9. Fb (2019)
Incident: Fb uncovered over 540 million data via unsecured cloud storage, together with information comparable to consumer feedback, likes, and reactions, making it susceptible to exterior entry.
Response: After the publicity was found, Fb acknowledged that third-party builders have been chargeable for the unsecured storage. Fb clarified that the information was circuitously leaked from its personal programs however was the results of improper safety practices by app builders who used Fb’s APIs to gather consumer information.
Fb reportedly labored to inform the third-party builders and inspired them to repair the safety vulnerabilities. It additionally restricted entry to the API that allowed apps to gather such information, making it tougher for future information leaks to happen attributable to misconfigurations.
Lesson: Guarantee cloud storage is accurately configured and implement encryption to guard information at relaxation.
10. Slack (2020)
Incident: Slack’s cloud infrastructure was compromised after an worker’s API token was uncovered publicly. This allowed unauthorised entry to delicate company information.
Response: Slack acknowledged the breach and offered particulars to clients on how the incident was dealt with. It emphasised that the incident was restricted in scope and didn’t result in a broader compromise of their infrastructure.
In a weblog put up it acknowledged: “We now have decided that the incident was the results of an uncovered API token. It allowed unauthorised entry to sure components of our system. The problem has been totally resolved and the uncovered token has been invalidated.”
The corporate additionally careworn that no delicate consumer information (comparable to non-public messages or account credentials) was uncovered within the breach.
Slack up to date its safety practices round API token administration, encouraging organisations to make use of safer strategies for dealing with API tokens and to undertake extra authentication measures to stop future incidents.
Lesson: Often monitor and rotate API tokens and keys to mitigate the danger of misuse.
Picture by Akash Kumar from Pixabay
Wish to study extra about cybersecurity and the cloud from trade leaders? Take a look at Cyber Safety & Cloud Expo going down in Amsterdam, California, and London.
Discover different upcoming enterprise expertise occasions and webinars powered by TechForge right here.