As organisations more and more migrate to the cloud, securing delicate information has by no means been extra crucial. Whereas cloud computing affords flexibility and scalability, it additionally opens the door to a variety of safety dangers.
From easy misconfigurations to advanced insider threats, cloud safety breaches have value corporations large sums of cash and compromised tens of millions of customers’ non-public data. On this article, we discover 10 high-profile cloud safety failures, each offering a significant lesson within the significance of strong safety practices. These real-life incidents function cautionary tales for companies counting on cloud providers, providing key takeaways to assist stop the following main breach.
Right here’s what went incorrect, what might have been carried out otherwise and the way corporations can fortify their defences in opposition to the ever-evolving panorama of cloud safety threats.
1. Dropbox (2012)
Incident: A hacker obtained Dropbox person credentials by means of a third-party breach and accessed customers’ cloud-stored recordsdata, exposing tens of millions of accounts.
Response: A Dropbox investigation decided that usernames and passwords stolen from different web sites have been used to register to “a small quantity” of Dropbox accounts. The corporate contacted these customers, providing to assist them defend their accounts.
Aditya Agarwal, then VP of engineering at Dropbox, mentioned: “A stolen password was additionally used to entry an worker Dropbox account containing a challenge doc with person electronic mail addresses. We imagine this improper entry is what led to the spam.” He added that Dropbox was placing extra controls in place to assist ensure there was no repeat of the difficulty.
The cloud storage agency opted to introduce two-factor authentication (2FA) and enhanced safety monitoring to stop future breaches. Later, in 2016, it was revealed that the breach had affected greater than 68 million person accounts. Dropbox prompted customers who hadn’t modified their passwords since 2012 to take action as a precautionary measure.
Lesson: The significance of sturdy, multi-factor authentication (MFA) and monitoring for uncommon login exercise.
2. Snapchat (2014)
Incident: Snapchat’s cloud-based infrastructure was compromised as a result of vulnerabilities in the way in which it dealt with person information. Hackers exploited cloud techniques and leaked tens of millions of photographs.
Response: On this information leak, sometimes called “The Snappening, Snapchat itself was indirectly hacked. As a substitute, third-party apps that saved Snapchat photographs have been compromised. A spokesperson for the corporate mentioned: “Snapchatters have been victimised by their use of third-party apps to ship and obtain Snaps.
We expressly prohibit third-party apps that entry our service, as they compromise customers’ safety.” Snapchat warned customers in opposition to third-party apps and improved its safety insurance policies to assist stop unauthorised entry.
Lesson: Correct safety measures for person information and picture dealing with in cloud storage can stop mass information leaks.
3. Uber (2016)
Incident: Hackers accessed Uber’s cloud-based storage and obtained private information of 57 million customers and drivers. Uber initially did not report the breach.
Response: Uber executives finally commented on the breach in 2017, however solely after it had been made public. The transportation agency confirmed that 57 million accounts have been compromised, together with names, electronic mail addresses and cellphone numbers of customers and drivers. As a substitute of reporting the breach on the time, Uber paid the hackers $100,000 beneath the guise of a bug bounty to delete the information and stay silent.
In November 2017, Dara Khosrowshahi, who grew to become Uber’s CEO after the breach, admitted Uber’s failure to reveal the incident sooner. He mentioned: “None of this could have occurred, and I can’t make excuses for it. We’re altering the way in which we do enterprise. We’re taking steps to make sure that we do the best factor going ahead.”
Joe Sullivan, Uber’s CSO in the course of the breach, was later fired and charged with masking up the hack. Prosecutors accused him of obstructing justice by misclassifying the breach as a bug bounty fee. Throughout his 2022 trial, Sullivan defended his actions, stating: “I used to be following the processes that have been in place at Uber on the time.”
Nonetheless, he was discovered responsible of obstructing justice, marking the primary time a safety govt was convicted for mishandling a knowledge breach. After this scandal, Uber strengthened its safety insurance policies and reached a $148m settlement for failing to reveal the breach.
Lesson: Recurrently monitor and safe cloud storage, implement strict entry management, and guarantee correct incident response protocols.
4. AWS S3 Breach (2017)
Incident: An enormous information leak occurred when corporations mistakenly left AWS S3 buckets publicly accessible. This uncovered delicate information akin to buyer data, inside enterprise paperwork, and personal communications.
Response: AWS emphasised that the breaches weren’t as a result of vulnerabilities in AWS itself, however fairly misconfigurations by clients who inadvertently left their S3 storage buckets publicly accessible.
The cloud computing supplier issued an announcement clarifying that these breaches have been the results of person error, explaining: “Amazon S3 is safe by default, and bucket entry is managed by the client. We offer clear steerage and instruments for purchasers to configure their assets securely.”
AWS continued to roll out additional security measures and enhancements to assist clients defend their information.
The next yr, the AWS CISO, Stephen Schmidt (AWS CISO), addressed these issues at AWS re:Invent 2017. He mentioned: “The primary safety threat we see right now remains to be misconfiguration. We strongly encourage clients to make the most of encryption, IAM insurance policies and entry management options to stop unintentional publicity.”
Lesson: All the time configure entry permissions rigorously and recurrently audit cloud storage for safety dangers.
5. Accenture (2017)
Incident: Accenture by accident uncovered its inside cloud databases, which contained delicate consumer data, together with passwords, as a result of weak safety configurations.
Response: Upon discovery, Accenture promptly secured the uncovered information and acknowledged: “There was no threat to any of our shoppers – no energetic credentials, PII, or different delicate data was compromised.”
It additional clarified that the uncovered data didn’t grant entry to consumer techniques and was not associated to manufacturing information or functions.
Lesson: All the time encrypt delicate information and punctiliously handle entry to cloud-based infrastructure.
6. GitHub (2018)
Incident: GitHub skilled an enormous DDoS assault that leveraged the cloud’s means to scale. The assault overwhelmed GitHub’s infrastructure, however the incident confirmed how cloud providers can each allow and mitigate large-scale assaults.
Response: This DDoS assault was one of many largest ever recorded on the time, peaking at 1.35 terabits per second (Tbps). It was a memcached amplification assault, which leveraged unsecured memcached servers to flood GitHub’s infrastructure with visitors.
After efficiently mitigating the assault, GitHub’s engineering workforce revealed a weblog put up detailing the incident. It acknowledged: “Between 17:21 and 17:30 UTC, GitHub was impacted by a record-breaking volumetric DDoS assault. We briefly skilled intermittent availability, however our techniques robotically mitigated the assault. We modeled our DDoS response capabilities on earlier assaults and instantly routed visitors to our DDoS mitigation supplier.”
GitHub engineer Sam Kottler added: “This was the biggest DDoS assault we – and the world – had ever seen on the time. Cloud-based mitigation methods helped take in the huge inflow of visitors.”
Lesson: Cloud providers are extremely scalable, nevertheless it’s important to have DDoS mitigation methods in place, even in cloud environments.
7. Capital One (2019)
Incident: A misconfigured AWS S3 bucket uncovered delicate information from over 100 million clients. A former AWS worker exploited a vulnerability, accessing private data, credit score scores and banking particulars.
Response: On July 29, 2019, Capital One introduced that on July 19, 2019, it had decided there was unauthorised entry by an outdoor particular person who obtained sure forms of private data regarding individuals who had utilized for its bank card merchandise and to Capital One bank card clients.
Capital One mentioned it instantly fastened the configuration vulnerability that was exploited and promptly started working with federal legislation enforcement. The person accountable for the breach was arrested by the FBI, and Capital One supplied free credit score monitoring and identification safety to these affected.
Lesson: The significance of correct configuration administration and entry management in cloud providers.
8. Microsoft (2019)
Incident: In 2019, Microsoft uncovered tens of millions of buyer help information as a result of misconfigured cloud storage settings. The information was saved in Azure Blob Storage, and it was found that the information, which included buyer help tickets and different delicate data, have been publicly accessible as a result of improper safety configurations.
Response: Microsoft shortly secured the uncovered information and acknowledged {that a} third-party vendor was accountable for the error. They clarified that the information was not accessed by malicious actors however was publicly seen because of the misconfiguration. Microsoft labored to stop related incidents sooner or later by tightening safety protocols for cloud storage.
Lesson: This incident highlights the crucial significance of appropriately configuring cloud storage and imposing correct entry controls. Common safety audits and monitoring are essential to establish and repair vulnerabilities earlier than they are often exploited.
9. Fb (2019)
Incident: Fb uncovered over 540 million information by means of unsecured cloud storage, together with information akin to person feedback, likes, and reactions, making it susceptible to exterior entry.
Response: After the publicity was found, Fb acknowledged that third-party builders have been accountable for the unsecured storage. Fb clarified that the information was indirectly leaked from its personal techniques however was the results of improper safety practices by app builders who used Fb’s APIs to gather person information.
Fb reportedly labored to inform the third-party builders and inspired them to repair the safety vulnerabilities. It additionally restricted entry to the API that allowed apps to gather such information, making it more durable for future information leaks to happen as a result of misconfigurations.
Lesson: Guarantee cloud storage is appropriately configured and implement encryption to guard information at relaxation.
10. Slack (2020)
Incident: Slack’s cloud infrastructure was compromised after an worker’s API token was uncovered publicly. This allowed unauthorised entry to delicate company information.
Response: Slack acknowledged the breach and supplied particulars to clients on how the incident was dealt with. It emphasised that the incident was restricted in scope and didn’t result in a broader compromise of their infrastructure.
In a weblog put up it acknowledged: “We’ve got decided that the incident was the results of an uncovered API token. It allowed unauthorised entry to sure components of our system. The difficulty has been totally resolved and the uncovered token has been invalidated.”
The corporate additionally burdened that no delicate person information (akin to non-public messages or account credentials) was uncovered within the breach.
Slack up to date its safety practices round API token administration, encouraging organisations to make use of safer strategies for dealing with API tokens and to undertake extra authentication measures to stop future incidents.
Lesson: Recurrently monitor and rotate API tokens and keys to mitigate the danger of misuse.
Picture by Akash Kumar from Pixabay
Need to be taught extra about cybersecurity and the cloud from trade leaders? Try Cyber Safety & Cloud Expo happening in Amsterdam, California, and London.
Discover different upcoming enterprise know-how occasions and webinars powered by TechForge right here.