Ticketmaster, one of the world's largest ticketing companies owned by global entertainment giant Live Nation, has finally confirmed the rumours that had been swirling through the infosec community for days.
The company had suffered a breach of enormous scale, with an estimated 560 million personal accounts from customers across the world exposed by a nefarious hacking group. Data stolen included names, email addresses, and partial credit card records – with a cybercriminal group now threatening to flog the database on the dark web.
While the details of the breach are still emerging, the story that seems to be forming about what happened is an interesting one. According to various reports, the data was comprised via a third party – specifically Snowflake, a SaaS tool Ticketmaster reportedly used for database storage and analysis.
It appears that the hacker had found a weak spot between commonly misunderstood shared responsibilities between a business and its SaaS provider. The attacker gained access to legitimate credentials using ‘infostealer’ malware, then used those credentials to log into Snowflake. This attack might have been prevented if multifactor authentication (MFA) was in place. However, like most SaaS services, Snowflake strongly recommends the use of MFA, but it is the customer’s responsibility to enforce it.
This isn’t the first we’ve seen attacks like these, and it won’t be the last. In fact, multiple other enterprises have seen their Snowflake accounts hijacked and compromised. Nor is this a problem isolated to Snowflake – in theory, any SaaS platform can be attacked using this weakness.
SaaS platforms are great productivity tools – the cloud has enabled and helped organisations boost accessibility immensely, particularly when hybrid and remote working were suddenly thrust upon us during the pandemic.
With the cloud and SaaS, employees can log on to their business-critical platforms from the comforts of home, or a client’s premises, or even at the airport - and work just as well as if they were in the office. Unfortunately, this freedom comes with a degree of risk. Credential stealing malware, which flourishes outside the confines of the office, can easy sweep private and remote devices, such as laptops and BYOD devices, with opportunistic hackers becoming increasingly adept at scanning for logins and passwords attributable to specific vendor domain names.
Once the credentials are harvested through malware, all the cyber criminals need to do is keep trying until they find an account that works, preferably without multifactor authentication – and they are in. From there, its exceptionally easy to download data undetected, as such cloud services typically sit beyond the reach of security monitoring tools.
And just like that, a cybercriminal syndicate has access to your sensitive data – and you best believe they will leverage that data to try and extort as much financial gain as possible, whether through ransoming the victims, or selling to other criminals on the dark web.
That is the reality of SaaS, and all cloud – without the right security practices, they can be the undoing of your business rather than the productivity and collaboration silver bullet every organisation hopes for. It is important to understand that Cloud services are not secure by default, and the customer is always accountable for ensuring they are secured.
So what security lessons can businesses take from Ticketmaster, and other third-party cloud breaches?
First, make sure you understand exactly what information is being stored by third parties. This is the golden rule for any data. Once you know what you are storing and where, you can start to make good decisions around how to protect that data from a risk perspective. It will also help you in the face of an incident - an up-to-date data inventory enables you to more rapidly understand a breach and communicate its consequences to people who are affected and regulatory authorities.
Secondly, it is important to remember that the cloud, and any SaaS platform, is a shared model of responsibility. Vendors usually have the right controls available, but do not enable them by default. As the consumer of the service, you must uphold your end of the security bargain by ensuring those controls are configured correctly. For example, Snowflake has a multi-factor authentication option for logins, but it is not the default setting. In the Ticketmaster example, making that one feature mandatory may have averted the entire crisis.
And thirdly, setting policies and guidelines will help your people enable security, even when working from home. Depending on the level of risk, you may want to set guidelines around using SaaS tools, such as only being able to access platforms through company approved and monitored devices.
Ultimately, despite a third player’s involvement in the breach, it’s TicketMaster that holds the legal responsibility to protect their customers’ data Similarly it is Ticketmaster who is answerable to consumers, regulators and public opinion. However, don’t let this breach scare you from embracing SaaS tools in your organisation. Rather, take this as a reminder to ensure security is at the forefront of any endeavour into SaaS or the cloud, lest your business be catapulted into the headlines over the next big breach.