Snowflake Denies Responsibility for Ticketmaster, Santander Breaches

Snowflake over the weekend denied responsibility for recent attacks on Ticketmaster and Santander Bank that exposed more than half a billion customers’ sensitive data, while admitting that it found evidence that “similar to impacted customer accounts, the threat actor obtained personal credentials to and accessed a demo account owned by a former Snowflake employee.”

“We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s Platform,” Snowflake CISO Brad Jones wrote in a late Friday blog post. Jones said the former employee’s account “did not contain sensitive data” and was “not connected to Snowflake’s production or corporate systems.”

Snowflake recommends organizations enforce multi-factor authentication on all accounts, set up network policy rules to allow only authorized users and traffic from trusted locations, and that impacted organizations should reset and rotate Snowflake credentials.

Both Ticketmaster’s parent Live Nation and Santander Bank said the breaches were the result of a third-party cloud data breach, without specifying the vendor. In a report published Friday, research firm Hudson Rock claimed it communicated with ShinyHunters and that the threat actor had told the firm that “all of these breaches stem from the hack of a single vendor -- Snowflake.”

Related:Snowflake’s Lack of MFA Control Leaves Companies Vulnerable, Experts Say

The group was then able to “sign into a Snowflake employee’s ServiceNow account using stolen credentials, thus bypassing Okta [multi-factor authentication],” Hudson Rock claims.

Additionally, the Australian Government’s Australian Signals Directorate (ASD) issued an alert directly to Snowflake customers. “The ASD’s [Australian Cyber Security Center] is aware of successful compromises of several companies utilizing Snowflake environments.”

Live Nation, which is the subject of a class-action lawsuit over the Ticketmaster breach, in a Friday filing with the US Securities and Exchange Commission confirmed the breach, saying, “we are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement.”

According to Hudson Rock, ShinyHunters claims to have breached other firms as well, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate Advanced Auto Parts, and many more.

Who’s to Blame? A Question of Shared Responsibility

Brian Soby, CTO and co-founder of SaaS security firm AppOmni, says he’s not surprised Snowflake is taking a defensive posture and putting responsibility on the customer.

Related:‘ShinyHunters’ Group Claims Massive Ticketmaster Breach

“The vendor can’t make it sound like their product could potentially cause an issue,” Soby says. However, cloud vendors have for years sold the idea that cloud is more secure than on-premises solutions. “We’ve sold that so hard that customers forgot that they still have responsibility. They still need to know what’s going on with their security configurations, they still need to know their third-party apps, and they still need to monitor and have good behavioral detections.”

Soby says the source of the breach likely extends beyond the single instance of the former Snowflake employee’s credentials being used. “You look at Ticketmaster with a 560-million customer breach, and it's like, all right, that doesn’t really sound like a demo instance -- to me, that’s a stretch.”

InformationWeek has reached out to Snowflake for comments and will update with any response.