Welcome to another blog where we dive deep into recent data breaches that have affected large companies. The idea of these blogs is to try and present as much information into a post that is quick and easy to read. Today, we will take a look into an incredibly interesting data breach that is potentially still ongoing and has affected multiple multi-million-dollar companies. Please bear in mind there is a lot of information online regarding the breaches we will discuss today. We have done our very best to find up-to-date and accurate data but as always, we advise you to do your research and check the facts.
On May 14th, 2024. Santander, a popular Spanish banking institution, made a public statement explaining that they had recently become aware of an “unauthorized access to a Santander database hosted by a third-party provider.” The banking institution, which employs 200,000 people worldwide, including 20,000 in the UK. They told the BBC that “UK customer data was not affected or lost in the hack“. It later came to light that 30 million customers in Chile, Spain and Uruguay, as well as all current and some former Santander employees, were the ones affected. Researchers at Dark Web Informer claimed they had found a post on a hacking forum to which a group calling themselves ShinyHunters reportedly posted an advert for US$2m saying they had data including:
- 30 million people’s bank account details
- 6 million account numbers and balances
- 28 million credit card numbers
- HR information for staff
Now, let’s stop there for a minute and take a look at a company you might have heard of before. TicketMaster, the globe’s leading ticket distributor who by 1993 was responsible for generating more than US$1 billion in annual sales and also estimated to own 70% of the ticketing and live event venues market since merging with Live Nation in 2010, also fell victim to a data breach shortly after the Santander attack.
On the 20th of May, the parent company of Ticketmaster, Live Nation said it had discovered “unauthorised activity” in a third-party cloud database that mostly contained Ticketmaster data. Live Nation later made a statement on the 27th of May explaining that “a criminal threat actor offered what it alleged to be company user data for sale via the dark web”. Once again, the little-known cybercrime group that goes by the name of ShinyHunters was reportedly the one selling the 1.3 TB of Ticketmaster data, including more than 560 million people’s information, for US$500,000.
Researchers at cybersecurity company Hudson Rock pointed out that the common denominator here is a cloud storage company called Snowflake. Snowflake, the data platform that boasts on their website 9,822 customers worldwide includes the likes of Adobe, Canva, and Mastercard and also provides services for both Santander and Ticketmaster.
On April 17th, before either attack on Santander or Ticketmaster had been carried out, Snowflake the Montana-based data platform reported unauthorized data access. They believe the attackers began attempting to access customer’s logins using stolen details. Although Snowflake claimed only a small number of customers had been affected, TechCrunch has found hundreds of Snowflake’s customer passwords online, accessible to the public and to the exact people you don’t want to know this type of information. As you can imagine, the companies I have mentioned today are not the only ones feeling the heat from this attack. The Los Angeles Unified School District, Advance Auto Parts, and an estimated 165 others have been impacted by this.
To go even further down the rabbit hole, it is believed the attack on Snowflake originated from a series of infostealer malware campaigns dating back to 2020 that targeted third-party companies that happened to have had dealings with Snowflake. ABC News reports that Sebastien Raoult, a French citizen living in Morocco has been arrested and extradited to the US for his involvement with the hacking group ShinyHunters. He has been ordered to pay a whopping US$7.5 million in restitution. Due to the nature of these attacks and the fact these malicious actors often live in foreign countries that don’t always have strong relationships with the West. In our opinion, it is unlikely any other arrests will be made.
This brings me to a similar question I asked at the end of our last blog post. Do you think it should be mandatory for certain industries to receive regular pen-tests? In this case, this is one of the biggest attacks we have seen in recent years. The knock-on effect is something all companies and customers must learn from. If you are a business that deals with sensitive data and does not have proactive cybersecurity in place with regular pen-tests on your systems, you may want to consider investing more time into your cybersecurity. Let this be the long overdue wake-up call. Also, if you are dealing with third-party companies, make sure they have the correct defenses in place. The reputations of multiple businesses have been tarnished and every single attack in this chain could have been prevented if cybersecurity was a more commonly spoken about topic when collaborating with other companies. Tech is becoming more advanced by the day and with modern-day sophisticated programs and tools, malicious adversaries are becoming more efficient with their time.
It is a long road ahead for Snowflake and its reputation in the business world. A road they might never recover from. If I was a customer such as Adobe, I certainly would be asking questions right about now.