As organisations more and more migrate to the cloud, securing delicate information has by no means been extra essential. Whereas cloud computing affords flexibility and scalability, it additionally opens the door to a variety of safety dangers.
From easy misconfigurations to advanced insider threats, cloud safety breaches have value firms large sums of cash and compromised hundreds of thousands of customers’ personal data. On this article, we discover 10 high-profile cloud safety failures, each offering an important lesson within the significance of strong safety practices. These real-life incidents function cautionary tales for companies counting on cloud providers, providing key takeaways to assist stop the subsequent main breach.
Right here’s what went flawed, what may have been achieved in another way and the way firms can fortify their defences towards the ever-evolving panorama of cloud safety threats.
1. Dropbox (2012)
Incident: A hacker obtained Dropbox person credentials by a third-party breach and accessed customers’ cloud-stored information, exposing hundreds of thousands of accounts.
Response: A Dropbox investigation decided that usernames and passwords stolen from different web sites have been used to sign up to “a small quantity” of Dropbox accounts. The corporate contacted these customers, providing to assist them defend their accounts.
Aditya Agarwal, then VP of engineering at Dropbox, stated: “A stolen password was additionally used to entry an worker Dropbox account containing a undertaking doc with person e mail addresses. We consider this improper entry is what led to the spam.” He added that Dropbox was placing further controls in place to assist be sure that there was no repeat of the problem.
The cloud storage agency opted to introduce two-factor authentication (2FA) and enhanced safety monitoring to stop future breaches. Later, in 2016, it was revealed that the breach had affected greater than 68 million person accounts. Dropbox prompted customers who hadn’t modified their passwords since 2012 to take action as a precautionary measure.
Lesson: The significance of sturdy, multi-factor authentication (MFA) and monitoring for uncommon login exercise.
2. Snapchat (2014)
Incident: Snapchat’s cloud-based infrastructure was compromised on account of vulnerabilities in the best way it dealt with person information. Hackers exploited cloud programs and leaked hundreds of thousands of photographs.
Response: On this information leak, also known as “The Snappening, Snapchat itself was indirectly hacked. As an alternative, third-party apps that saved Snapchat photographs have been compromised. A spokesperson for the corporate stated: “Snapchatters have been victimised by their use of third-party apps to ship and obtain Snaps.
We expressly prohibit third-party apps that entry our service, as they compromise customers’ safety.” Snapchat warned customers towards third-party apps and improved its safety insurance policies to assist stop unauthorised entry.
Lesson: Correct safety measures for person information and picture dealing with in cloud storage can stop mass information leaks.
3. Uber (2016)
Incident: Hackers accessed Uber’s cloud-based storage and obtained private information of 57 million customers and drivers. Uber initially did not report the breach.
Response: Uber executives finally commented on the breach in 2017, however solely after it had been made public. The transportation agency confirmed that 57 million accounts have been compromised, together with names, e mail addresses and telephone numbers of customers and drivers. As an alternative of reporting the breach on the time, Uber paid the hackers $100,000 below the guise of a bug bounty to delete the information and stay silent.
In November 2017, Dara Khosrowshahi, who grew to become Uber’s CEO after the breach, admitted Uber’s failure to reveal the incident sooner. He stated: “None of this could have occurred, and I cannot make excuses for it. We’re altering the best way we do enterprise. We’re taking steps to make sure that we do the suitable factor going ahead.”
Joe Sullivan, Uber’s CSO in the course of the breach, was later fired and charged with masking up the hack. Prosecutors accused him of obstructing justice by misclassifying the breach as a bug bounty cost. Throughout his 2022 trial, Sullivan defended his actions, stating: “I used to be following the processes that have been in place at Uber on the time.”
Nonetheless, he was discovered responsible of obstructing justice, marking the primary time a safety govt was convicted for mishandling an information breach. After this scandal, Uber strengthened its safety insurance policies and reached a $148m settlement for failing to reveal the breach.
Lesson: Recurrently monitor and safe cloud storage, implement strict entry management, and guarantee correct incident response protocols.
4. AWS S3 Breach (2017)
Incident: An enormous information leak occurred when firms mistakenly left AWS S3 buckets publicly accessible. This uncovered delicate information equivalent to buyer data, inside enterprise paperwork, and personal communications.
Response: AWS emphasised that the breaches weren’t on account of vulnerabilities in AWS itself, however somewhat misconfigurations by clients who inadvertently left their S3 storage buckets publicly accessible.
The cloud computing supplier issued an announcement clarifying that these breaches have been the results of person error, explaining: “Amazon S3 is safe by default, and bucket entry is managed by the shopper. We offer clear steerage and instruments for purchasers to configure their assets securely.”
AWS continued to roll out additional safety features and enhancements to assist clients defend their information.
The next yr, the AWS CISO, Stephen Schmidt (AWS CISO), addressed these issues at AWS re:Invent 2017. He stated: “The primary safety danger we see at present continues to be misconfiguration. We strongly encourage clients to benefit from encryption, IAM insurance policies and entry management options to stop unintentional publicity.”
Lesson: At all times configure entry permissions rigorously and often audit cloud storage for safety dangers.
5. Accenture (2017)
Incident: Accenture unintentionally uncovered its inside cloud databases, which contained delicate shopper data, together with passwords, on account of weak safety configurations.
Response: Upon discovery, Accenture promptly secured the uncovered information and said: “There was no danger to any of our shoppers – no lively credentials, PII, or different delicate data was compromised.”
It additional clarified that the uncovered data didn’t grant entry to shopper programs and was not associated to manufacturing information or functions.
Lesson: At all times encrypt delicate information and thoroughly handle entry to cloud-based infrastructure.
6. GitHub (2018)
Incident: GitHub skilled a large DDoS assault that leveraged the cloud’s means to scale. The assault overwhelmed GitHub’s infrastructure, however the incident confirmed how cloud providers can each allow and mitigate large-scale assaults.
Response: This DDoS assault was one of many largest ever recorded on the time, peaking at 1.35 terabits per second (Tbps). It was a memcached amplification assault, which leveraged unsecured memcached servers to flood GitHub’s infrastructure with site visitors.
After efficiently mitigating the assault, GitHub’s engineering workforce printed a weblog put up detailing the incident. It said: “Between 17:21 and 17:30 UTC, GitHub was impacted by a record-breaking volumetric DDoS assault. We briefly skilled intermittent availability, however our programs robotically mitigated the assault. We modeled our DDoS response capabilities on earlier assaults and instantly routed site visitors to our DDoS mitigation supplier.”
GitHub engineer Sam Kottler added: “This was the most important DDoS assault we – and the world – had ever seen on the time. Cloud-based mitigation methods helped take in the large inflow of site visitors.”
Lesson: Cloud providers are extremely scalable, however it’s important to have DDoS mitigation methods in place, even in cloud environments.
7. Capital One (2019)
Incident: A misconfigured AWS S3 bucket uncovered delicate information from over 100 million clients. A former AWS worker exploited a vulnerability, accessing private data, credit score scores and banking particulars.
Response: On July 29, 2019, Capital One introduced that on July 19, 2019, it had decided there was unauthorised entry by an outdoor particular person who obtained sure forms of private data regarding individuals who had utilized for its bank card merchandise and to Capital One bank card clients.
Capital One stated it instantly mounted the configuration vulnerability that was exploited and promptly started working with federal legislation enforcement. The person chargeable for the breach was arrested by the FBI, and Capital One provided free credit score monitoring and id safety to these affected.
Lesson: The significance of correct configuration administration and entry management in cloud providers.
8. Microsoft (2019)
Incident: In 2019, Microsoft uncovered hundreds of thousands of buyer help information on account of misconfigured cloud storage settings. The information was saved in Azure Blob Storage, and it was found that the information, which included buyer help tickets and different delicate data, have been publicly accessible on account of improper safety configurations.
Response: Microsoft rapidly secured the uncovered information and acknowledged {that a} third-party vendor was chargeable for the error. They clarified that the information was not accessed by malicious actors however was publicly seen because of the misconfiguration. Microsoft labored to stop related incidents sooner or later by tightening safety protocols for cloud storage.
Lesson: This incident highlights the essential significance of accurately configuring cloud storage and implementing correct entry controls. Common safety audits and monitoring are essential to determine and repair vulnerabilities earlier than they are often exploited.
9. Fb (2019)
Incident: Fb uncovered over 540 million information by unsecured cloud storage, together with information equivalent to person feedback, likes, and reactions, making it susceptible to exterior entry.
Response: After the publicity was found, Fb acknowledged that third-party builders have been chargeable for the unsecured storage. Fb clarified that the information was indirectly leaked from its personal programs however was the results of improper safety practices by app builders who used Fb’s APIs to gather person information.
Fb reportedly labored to inform the third-party builders and inspired them to repair the safety vulnerabilities. It additionally restricted entry to the API that allowed apps to gather such information, making it more durable for future information leaks to happen on account of misconfigurations.
Lesson: Guarantee cloud storage is accurately configured and implement encryption to guard information at relaxation.
10. Slack (2020)
Incident: Slack’s cloud infrastructure was compromised after an worker’s API token was uncovered publicly. This allowed unauthorised entry to delicate company information.
Response: Slack acknowledged the breach and supplied particulars to clients on how the incident was dealt with. It emphasised that the incident was restricted in scope and didn’t result in a broader compromise of their infrastructure.
In a weblog put up it said: “We’ve got decided that the incident was the results of an uncovered API token. It allowed unauthorised entry to sure components of our system. The problem has been absolutely resolved and the uncovered token has been invalidated.”
The corporate additionally burdened that no delicate person information (equivalent to personal messages or account credentials) was uncovered within the breach.
Slack up to date its safety practices round API token administration, encouraging organisations to make use of safer strategies for dealing with API tokens and to undertake further authentication measures to stop future incidents.
Lesson: Recurrently monitor and rotate API tokens and keys to mitigate the danger of misuse.
Picture by Akash Kumar from Pixabay
Need to be taught extra about cybersecurity and the cloud from trade leaders? Try Cyber Safety & Cloud Expo going down in Amsterdam, California, and London.
Discover different upcoming enterprise know-how occasions and webinars powered by TechForge right here.
