Ticketmaster Breach Showcases SaaS Data Security Risks
MFA and other mechanisms are critical to protect against unauthorized access to data in cloud application environments, but businesses still fall down on the job.
June 4, 2024
A massive data breach at Ticketmaster and another one at Santander Bank last month may have both resulted from a fundamental failure by the companies to properly secure access to the data on a third-party cloud storage service.
The incidents are the latest reminder of why organizations storing sensitive data in the cloud need to implement multifactor authentication (MFA), IP restrictions, and other mechanisms to protect access to it. This might seem like low-hanging fruit, but it's clear that even IT-mature companies continue to overlook cloud security in the rush toward digital transformation.
Massive Breaches
In a regulatory filing over the weekend, Ticketmaster parent Live Nation Entertainment said it was the victim of a May 20 breach involving a database hosted by a third-party cloud storage provider. The company's May 31 disclosure came after reports surfaced last week of data belonging to some 550 million Ticketmaster customers being put up for sale on a Dark Web forum by "ShinyHunters," an entity believed associated with the BreachForums leak site. Ticketmaster itself has not publicly disclosed any details of the breach beyond what it has included in the SEC filing.
Santander Bank disclosed a similar breach on May 14. In a statement at the time, the Spanish banking institution said someone had obtained unauthorized access to a database hosted by a third-party cloud services provider that contained employee and customer data. Among those primarily impacted were Santander Bank customers in Spain, Chile, and Uruguay.
ShinyHunters has claimed credit for the Santander theft as well and said the database it accessed contains data on some 30 million Santander customers, 28 million credit card numbers, account balances, HR employee lists, and other data. The threat actor has put the data up for sale for $2 million.
Both Ticketmaster and Santander have not disclosed the identity of the third-party cloud service. But numerous security analysts have identified the provider as Snowflake, a cloud storage provider that counts companies such as MasterCard, Honeywell, Disney, Albertsons, JetBlue, and other major brands as its customers.
A Failure to Protect?
Snowflake has acknowledged that there has been malicious activity that has targeted some of its customer accounts in recent weeks, but so far it has not identified which customers are affected. The company said an investigation that it conducted with help from Mandiant and CrowdStrike has shown no evidence to suggest the activity is linked to any "vulnerability, misconfiguration, or breach of Snowflake's platform."
Instead, the attacks appear to be part of a broader "targeted campaign directed at users with single-factor authentication," Snowflake said. "As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware," and used them to access customer accounts, the cloud storage vendor said.
David Bradbury, chief security officer (CSO) at Okta, says the recent incidents highlight the importance of ensuring that software-as-a-service (SaaS) applications within corporate environments have phishing-resistant MFA as well as network IP restrictions that limit access from only trusted locations. "However, MFA and inbound IP restrictions aren't enough on their own," he adds.
Attackers are increasingly focusing on post-authentication attacks that bypass MFA altogether, he says. An attacker that cannot steal user credentials will pivot to stealing proof of authentication, which is why security mechanisms such as session token binding are vital for SaaS applications, Bradbury says.
Based on the available information so far, the data leaks via the Snowflake platform do not appear to be the result of any mistake on the cloud vendor's part. Rather, it appears to be a failure by the victim organizations to follow cloud security and configuration baselines, says Michael Lyborg, CISO at Swimlane.
The Cloud Security Shared Responsibility Model
Under most current cloud shared responsibility models, the cloud vendor and customer typically split responsibility for identity and access management (IAM) and the enforcement of MFA. But ultimately, it's up to customers to follow the provider's best practices, configuration and implementation guidelines to mitigate risks to data, Lyborg says.
"I believe providers should enforce MFA and least privilege and zero trust by default to assist customers in their digital transformation journey," he says. "If an exception is made to circumvent the configuration baseline, other compensating controls should be a requirement."
However, Patrick Tiquet, vice president, security and architecture, at Keeper Security, says it's unreasonable to expect cloud providers to implement mandatory MFA and other secure by default practices in all cases.
"Each organization has unique security requirements and preferences, and uniform security measures could limit the flexibility and customization that customers seek from cloud services," he says. "Additionally, some customers may already have robust security protocols in place or may prefer to implement their own security measures, which are tailored to their specific needs."
Even so, the Ticketmaster and Santander breaches show that organizations must be aware of the potential risks in relying on their own security measures, and recognize the fact that weak or absent authentication mechanisms are prime targets for hackers to gain unauthorized access.
"As cloud adoption continues to rise, and more organizations transition their operations to the cloud," Tiquet says, "it's imperative for both cloud providers and customers to prioritize security and implement robust measures to protect against cyber threats."
About the Author
You May Also Like