Companies under new SEC reporting rules may delay disclosure of major cybersecurity breaches if disclosure carries potential risks to national security. Imagine a hack so bad that the U.S. Department of Justice grants permission to delay not once, but twice.
It’s precisely as bad as it sounds. As reported by BleepingComputer, AT&T on July 12 disclosed that the call logs for 109 million customers, i.e. nearly every mobile customer the company services, from May 1 to October 21, 2022 and also on January 2, 2023, were stolen from a database maintained by cloud provider Snowflake.
Via a Form 8-K filing with the SEC on the morning of Friday, July 12, AT&T disclosed that the data was stolen between April 14 and April 25, 2024. The DOJ granted the delays to report the breach on May 9 and June 5.
Manufacturers want to pay attention to the fact that this was a breach in third-party cybersecurity, especially in an age where many vendors touting AI software for plant productivity store operations data in the cloud. Details of the hack also demonstrate why all companies must remain vigilant against the human factor.
Don’t Blame the Cloud…
Companies using cloud-based software-as-a-service (SaaS) have to worry about cybersecurity on their end, i.e. the people at their company accessing the cloud software, and cybersecurity at the company running the cloud servers. For large companies especially, the benefits still outweigh the risks.
“Having this data in a highly accessible, highly available cloud environment is desirable for numerous reasons. Going back to [local servers] isn’t a solution for large companies simply due to their global footprint. At that point, they see what they can do to reduce risk to what they deem is an acceptable level. In many cases, organizations are seeing the cost of a breach in some cases is less than the cost of nullifying that risk month after month,” says Tom Marsland, vice president of technology, cloud range, and board chairman of VetSec.
“Companies are not investing enough in their cybersecurity teams - they are understaffed and burnt out, simply because many large companies have realized they can get away with not further reducing that risk, and instead just pay out when the breach occurs,” Marsland adds,
“The fall out or ramifications of the Snowflake incident is huge,” says Jim Routh, chief trust officer at cloud-native identity and governance platform solutions provider Saviynt, also former CSO/CISO of American Express. However, he doesn’t think companies should blame this on cloud technology as a whole.
“Storing data on premises as an alternative is not required for security, improving security practices for cloud services is the requirement,” Routh says.
…Maybe Blame the People
Even if a cloud provider offers perfect cybersecurity hygiene, individual users with sloppy, personal cybersecurity standards can enable criminals to break into systems, anyway.
Glenn Chisholm, co-founder and chief product officer at Obsidian Security, says that Snowflake’s cybersecurity is not necessarily to blame for the breach. The fault probably lies with the human element.
“It is important to recognize that Snowflake always offered the option to enable multi-factor authentication (MFA). Therefore, the capacity to secure accounts was always present, but it depended on users choosing their desired security levels. This reflects the concept of shared responsibility in software-as-a-service (SaaS), where the security of identities, data, and application configurations falls on the user,” Chisholm says.
“It is crucial to understand that MFA alone will not secure all deployments. … Attackers circumvent MFA in nearly 70% of breaches. Therefore, along with proactive defense measures, it’s crucial to monitor users and service accounts with access to Snowflake to detect and prevent abuses,” Chisholm adds.
More Headaches Ahead for Snowflake
On the bright side, AT&T says the stolen data in and of itself does not directly expose anyone’s identity. It includes telephone numbers, interaction counts, and aggregate call durations among other data, but no Social Security numbers, dates of birth, or any content of calls or texts. AT&T also said on Friday that the company understood law enforcement has at least one suspect already in custody.
“This is a quick result compared to months of investigative actions as a norm,” says Routh. “It’s possible that the potential scope increased the appetite to spend on the best investigative talent.”
Snowflake, however, will have to look much harder for any silver lining. On July 11, the day before AT&T’s disclosure, Advance Auto Parts said the personal data of almost 2.3 million people was stolen off Snowflake’s servers in a breach reported via Form 8-K on June 19.
