Lessons from recent cloud data breaches

Cloud Security is an evolving area in which many companies are still finding their footing. Navigating a cloud environment can be challenging for cybersecurity teams who are unfamiliar with how security changes in a cloud environment. Examples of this can be increased automation, a shared security responsibility model, faster change management, and so on.

Cybersecurity teams can learn which areas to focus on by upskilling their cloud knowledge via certifications, adopting cloud-native best practices, and by studying cloud data breaches within the industry. By analyzing these incidents and understanding what vulnerabilities led to these control failures, companies can ensure they are not exposed in a similar way.

Let us look at a few of the most notable cloud data breaches of recent years and what lessons we can learn from them.

Accenture

Accenture, a well-known name in the IT consulting industry, revealed that a popular ransomware group had compromised them in 2017. As a consequence of a cloud misconfiguration, Accenture inadvertently left four of its AWS S3 buckets to be publicly accessible. As a result, hundreds of gigabytes of sensitive client and company data were exposed. This data included more than 40,000 plaintext passwords, sensitive API data, decryption keys, authentication credentials, user data, and customer information. Hackers released some of this data on the dark web. 

In August of 2021, Accenture again fell prey to an attack via the LockBit ransomware.  Attackers exfiltrated over six terabytes of data and demanded that a $50 million ransom payout be made. The compromise also affected Accenture customers.  

Accenture admitted in its financial report that  
“In addition, our clients have experienced, and may in the future experience, breaches of systems and cloud-based services enabled by or provided by us.” 

A few of the key lessons that can be taken from this incident are:  

  • Deploy cloud security tools to detect misconfigurations in the cloud environment. These misconfigurations are usually how attackers gain a foothold in an environment.  
  • All major cloud providers like Microsoft Azure, Google, and AWS have guidance on how to protect against ransomware. These should be studied and adopted.  
  • Insider threats are a genuine cause for concern. Employees with access can be targeted and potentially bribed by attackers with million dollar budgets. 
  • Partners and customers of Accenture were compromised as part of this attack, and hence it is essential to assess the risk of third-party access in a cloud environment.  

Cognyte 

Cognyte, a cybersecurity analytics firm, faced industry scrutiny after a misconfiguration led to over 5 billion user records being exposed over the internet. Even worse was that this database contained data about previous security incidents as part of Cognyte’s intelligence service. A misconfiguration of this database led to it being exposed over the internet without any authentication in place. Thankfully this was discovered by a security firm and informed to them proactively. 

A few of the critical lessons that can be taken from this incident are:  

  • Misconfigurations remain one of the biggest threats to cloud security. Without controls to detect and remediate such mistakes, a company can face a similar situation to Cognyte.  
  • It is difficult to secure that on which you have no visibility. Make use of cloud security tools to identify all cloud resources and their security posture.  
  • Passwords are simply not enough to secure a cloud environment. Implementing multi-factor authentication would have mitigated the impact of this exposure and is something all companies should implement.  

Kaseya

Kaseya, a popular IT management software provider based in the U.S., was compromised in July 2021 by a Russian Hacking group. The attack was similar to the supply chain compromise of SolarWinds in which a popular software is compromised and used as a jumping point to access more environments. While the company shut down its SaaS servers and notified customers, it was not enough to contain the blast radius of the attack as customers found themselves receiving ransomware instead of Kaseya’s regular software updates. The situation was severe enough for the FBI and cybersecurity firms like Mandiant to get involved.  

A few of the critical lessons that can be taken from this incident are:  

  • Supply chain attacks can be highly devastating as many other parties are compromised along with the initial victim. Attackers are smart enough to realize that compromising the software supply chain can be easier and result in higher payoffs than attacking companies head-on.  
  • Patching remains as essential as ever, as the Russian Group was able to compromise Kaseya by exploiting unpatched vulnerabilities.  

Raychat

Raychat, a famous Iranian chatting application, was compromised in February of 2021 due to a misconfigured database similar to Cognyte. Over 267 million personal details of its customers were accessed and then deleted by a bot. The misconfiguration meant that no advanced technical skills were needed, and the attacker could simply access the database and destroy it without any controls detecting or stopping the malicious activities.  

A few of the critical lessons that can be taken from this incident are:  

  • The common theme of misconfigurations once again shows up in this case. If Raychat had implemented controls to detect and remediate this weakness in time, the entire data breach could have been avoided.  
  • Continuous monitoring of a cloud environment is essential. An attacker accessing a cloud database should be detected due to its suspicious nature. However, the lack of such controls meant Raychat was not aware while the attack was taking place.  

Lessons learned

By analyzing these incidents, we can pick up some common themes in nearly all of these incidents. These are lessons to ensure that our cloud environments do not contain the same weaknesses:  

  • Misconfigurations are a crucial risk, and it is essential to have controls in place that can detect and mitigate these weaknesses. 
  • Visibility into cloud resources is critical, as cloud environments change rapidly.  
  • Continuous monitoring of cloud resources is needed. Suspicious activities like logins from suspicious locations and data exfiltration should be detected. Cloud Security Monitor provides such automated, continous monitoring.  
  • Multi-factor authentication is a best practice that should be implemented in both the cloud and on-premise. 
  • Supply chain risk can be a blind spot in cloud environments. It is useful to do a risk assessment of the software supply chain and implement controls to protect against its compromise.