What do Uber, LastPass and Marriott have in common? They all suffered pretty huge cloud data breaches in 2022. Read on to discover how these incidents–and more–happened, and how you can stop the same thing from happening to your organization.
Uber
How it happened
On 15th September 2022, Uber employees received a Slack message from an unknown user, stating “I am a hacker.”
The message alerted them to a data breach that happened days before. How? Well, after the criminal purchased an Uber contractor’s username and password from the Dark Web, they tried to login to the platform.
However, they ran into a roadblock: multi-factor authentication. Undeterred by the obstacle, they started harassing said contractor with fake multi-factor authentication (MFA) push notifications.
Once the victim gave into the MFA requests —unaware that they weren’t real —the criminal broke into Uber’s network through the company’s internal VPN. From there, he further manipulated Uber’s infrastructure to uncover administrative credentials. He used these to access sensitive information from the company’s Slack, DA, DUO, Onelogin, AWS, GSuite and much more.
Now, the criminal could have stolen this data and got away without ever being noticed —but they didn’t. They chose to publicly announce their hacking success to the media and Uber itself.
Undoubtedly, this is an unusual move, but it makes sense once you realize that the criminal responsible was part of Lapsus$ —a cybercriminal group not only motivated by financial gain, but the ‘joy’ of highlighting just how insecure many companies are.
How to avoid a similar incident
The Uber incident reinforces that MFA is no longer enough to secure company infrastructure. Sure, it’s a solid foundational measure —but it’s not watertight. With enough grit, skill and determination, hackers can easily bypass MFA controls, and then roam free in your applications undetected.
Don’t panic, though. Just because MFA doesn’t work, doesn’t mean your business is a sitting duck. If you adopt a zero-trust approach, you’ll be able to stop incidents of compromised credentials in their tracks.
You see, with zero trust, you don’t just authenticate users when they attempt to login. Instead, you continuously authenticate them in real-time as they interact with resources in your IT environment.
It might sound impossible to achieve, but there are already tools out there based on the principles of zero trust.
Polymer data loss prevention (DLP), for example, uses a contextual risk engine to assess users as they go about different activities in SaaS apps. Based on the organization’s pre-defined levels of risk tolerance, compliance mandates and sensitive data policies, the engine then grants, prohibits or limits access to certain resources.
With a tool like this in place, your data remains safe in the event of credentials compromise, meaning it’s no longer enough for a hacker to break into an account to steal data.
They’d need to verify themselves again and again —and wouldn’t be able to!
LastPass
How it happened
This incident is a double whammy. LastPass actually suffered two data breaches this year, in a domino-style effect. First off, in August, the company confirmed that a threat actor had infiltrated its development environment through a compromised developer account.
No information was released about how the hacker compromised the account, but we suspect they may have purchased their credentials on the dark web.
At the time of the August breach, the CEO reassured customers that their data was safe, and they didn’t need to make any changes to their accounts, as we covered here.
Fast forward to November and LastPass released a blog post announcing another breach, explaining: “We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.”
While LastPass has reassured customers that no passwords have been accessed, due to the strength of the company’s encryption technology, other personally identifiable data like names, addresses and dates of birth have been exposed.
How to avoid a similar incident
Put it this way: your development environment is the key to your corporate kingdom. If your organization has one, you need to protect it at all costs. If a malicious actor manages to break into it, they could move on to cause wide ranging damage, accessing other applications and infrastructure in your business.
Here are some critical principles to consider for effective protection:
- Enforce least privilege to restrict who can make changes to your code repository
- Separate secret credentials from source code to prevent leakage. You can also implement controls like key rotation and automatic scanning to boost security.
- In the event of malicious exfiltration, make it a priority to review your technical controls to secure the products, services and applications associated with your dev environment.
Rockstar
How it happened
Lapsus$ struck again towards the end of September. Having wrecked havoc at Uber, they turned their attention to a new target: Rockstar Games, famously known as the creator of Grand Theft Auto.
As with the Uber breach, the criminals used fake multi-factor push notifications to login to a Rockstar Games’ employee Slack account.
Once inside the app, they stole 90 videos of unreleased game footage and some of the company’s source code.
For a detailed dive into this incident, read our anatomy of the Grand Theft Auto leak.
How to avoid a similar incident
The Rockstar Games incident highlights again that multi-factor authentication alone isn’t enough to protect organizations from malicious actors.
Companies need to move towards a dynamic, zero-trust approach, where employee permissions are continuously authenticated during sessions to ensure they are who they say they are.
In applications like Slack, Teams, and Zoom, the best way to adopt zero-trust is through a DLP solution like Polymer DLP.
Our solution uses artificial intelligence (AI) to protect against insider threats by spotting and responding to suspicious activity in real-time.
For example, suppose a user attempts to download a folder of trade secrets—or a large amount of unreleased video footage—from Slack. In that case, Polymer DLP will block the action and alert the IT team at the same time so they can review the request in more detail.
Rather than being on the back foot and responding to breaches when it’s too late, you can stay one step ahead of malicious actors like Lapsus$.
Twilio
How it happened
In this incident, an unknown threat actor used SMS phishing messages to dupe numerous Twilio employees into sharing their login credentials, which then enabled the attacker to access the company’s internal systems.
The SMS messages took the form of a phony text from Twilio’s IT department, notifying employees that their password had expired and needed to be updated. The texts also featured a fraudulent web page that looked like one from Okta – the company which Twilio uses for identity and access management.
When employees clicked on the fake webpage, a few entered their details. However, rather than actually changing their password, these details were forwarded onto the threat actor, who then exploited them for their own use.
Twilio didn’t disclose exactly what the cyber criminals managed to exfiltrate once inside the company’s systems.
In a blog post on the attack, Twilio stated that the malicious actors “were able to access certain customer data.”
How to avoid a similar incident
Twilio itself said it has “reemphasized our security training to ensure employees are on high alert for social engineering attacks.”
From our view, this is one of the most important takeaways for organizations: the importance of security awareness and training.
But, before you book your next training away day, consider this: knowledge retention rates drop by more than 50% when training is more than two minutes.
So, instead of opting for hour-long eLearning sessions and classroom training, try integrating security awareness into your employee’s daily workflows.
Polymer DLP, for example, offers in-app nudges that alert your employees to risky behaviors before they perform them, such as clicking on a phishing email or sharing sensitive data with a third-party.
You can find out more about our nudge solution here.
Cisco
How it happened
In May of this year, threat actors managed to infiltrate Cisco’s network by compromising the credentials of a Cisco employee’s personal Google account. Once in the account, they managed to gain access to the individual’s corporate password due to the password synchronization feature in Google Chrome.
Now, like many companies, Cisco makes use of multi-factor authentication to safeguard access to its corporate VPN, but this attacker was stealthy.
It used a combination of voice phishing and SMS-ishing to harass the employee with false multi-factor authentication push requests over the phone, impersonating trusted support companies that Cisco works with.
The employee, none the wiser to the fact that these requests were fraudulent, eventually shared their details with the attacker, enabling them to access Cisco’s network.
Once they managed to gain a foothold in the corporate network, the cyber criminals moved to the company’s Citrix servers and domain controllers.
In a blog post on the attack, Cisco Talos explained: “They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers.”
From there, the malicious actors used enumeration tools such as secretsdump to scour for more data and also installed a backdoor – likely with the intention of triggering a ransomware attack further down the line, although no such payloads were found.
Luckily, Cisco managed to find the bad guys and kick them out of their infrastructure before they launched a ransomware attack or steal any sensitive data!
How to avoid a similar incident
Like the recent Twilio data breach, this hack shows just how effective social engineering attacks can be, where hackers trick employees into sharing sensitive information via email, SMS or phone through impersonation and persuasion.
Even though phishing attacks have been around since the dawn of the internet, there’s no way to 100% stop human error. To that end, you need to make sure you equip your employees with the right tools to avoid falling for scams.
Polymer DLP can help you mitigate the risks of phishing scams. Our self-learning engine features in-app training prompts that nudge users towards secure choices in real time.
On top of awareness training, Polymer DLP prevents privilege abuse through data access control mechanisms, which ensure that only legitimate, verified employees are able to access company data. This tackles the issues of privilege misuse and compromise that are common in successful social engineering attacks.
Sequoia
How it happened
HR platform Sequoia’s Christmas spirit may be slightly dampened this year, after the company suffered a huge hack in early December.
In a statement, Sequoia shared that criminals managed to access a treasure trove of customer PII and PHI, including Social Security numbers, addresses, dates of birth, gender, marital status, employment status, and even COVID-19 test results…Oh dear.
In its data breach notice to the California attorney general’s office, Sequoia explained that it had become aware an “unauthorized party accessed a cloud storage system that contained personal information” between September and October 2022.
Sequoia shared that, following forensic review, it had found no evidence of malware in its systems, and was confident that there was no ongoing unauthorized access to its infrastructure. Plus. because the hacker only had “read-only” access, they were confident no client data had been altered —but the hacker could have still made copies.
How to avoid a similar incident
The details of how this breach happened are still pretty hazy. We know an unknown entity managed to infiltrate Sequoia’s systems, but we don’t know how.
One thing’s for sure, though. In line with compliance requirements under HIPAA and GDPR, your company’s PHI and PII should be protected with the utmost care.
Only authorized and verified users should have the power to access this information. Having this data as “read-only” isn’t enough. You need to ensure access is only granted on a need-to-know basis.
Beyond that, this incident serves as a reminder of the importance of timely incident response. Discovering that you’ve been hacked two months after the breach puts your customers at high risk of fraud.
You need to review and improve your incident response processes, so you can quickly discover, quarantine and remediate breaches. For more advice on improving incident response, we recommend reading NIST’s Computer Security Incident Handling Guide.
Marriott
How it happened
The Marriott hotel chain seems to be very unlucky in the realm of security, suffering its third breach in four years over the summer.
In this incident, a hacking group used social engineering tactics to trick an employee at the company’s Maryland office into sharing their password.
The group used these details to access Marriott’s internal systems, stealing 20GB of data, including customer credit card info and internal company documents.
Initially, the hacking group attempted to extort money from Marriott for the information, apparently stating that they wouldn’t publicize the successful hack if the company paid up.
However, after Marriott declined to pay, the group kept its promise, publishing an exclusive interview with a well-known data breach resource detailing the incident.
How to avoid a similar incident
We all know that phishing awareness training is a vital aspect of effective security. However, as the Marriott incident shows, not all phishing training works. In fact, research shows that 97 percent of users are unable to identify sophisticated phishing emails.
To empower your users to spot these threats, one of the best thing you can to is implement simulated phishing campaigns.
On top of that, remember that building a culture of security is a holistic endeavor. Beyond phishing training, consider how you can use security nudges to keep security front of mind for your employee. Our solution, for example, incorporates nudges into popular cloud applications like Slack, Teams and Google Workspace.
Over time, these in-app nudges can effectively build a data security culture by putting security front of mind for your employees – without taking them away from their workflow. We’ve found that our solution reduces risky data sharing behavior by over 70% in 1 month.
Wrapping up
Organizations can certainly learn a lot from these incidents. In most cases, the attacks weren’t particularly complex or sophisticated. They relied on human error, negligence and a lack of data-centric security controls. This is good news, as it means making security improvements is pretty straightforward.
So, looking ahead to 2023, we recommend organizations double-down on their approach to security education and identity and access management. In particular, we highly advise moving beyond MFA to focus on securing access to data at the source.
If you’d like help with achieving this, contact us. Our smart, scalable DLP solutions protects sensitive data across cloud apps, automatically reduces the risk of data exposure and trains your employees in real time.
