Ticketmaster's Snowflake data breach was just one of 165
How did Mandiant link the data breaches at Ticketmaster and Santander Bank to the compromised Snowflake cloud storage accounts?
Mandiant, a security firm investigating the data theft alongside Snowflake, identified a "financially motivated threat actor" called UNC5537 as the group responsible for the systematic compromise of Snowflake customers5. This group used login credentials stolen via historical infostealer malware infections on non-Snowflake-owned systems. Mandiant linked the data breaches at Ticketmaster, Santander Bank, and LendingTree subsidiary QuoteWizard to the compromised Snowflake cloud storage accounts by tracking the activity of UNC5537. The compromised accounts did not have multi-factor authentication (MFA) enabled, and the stolen credentials were still valid, in some cases years after they were stolen.
What specific types of data were stolen from Snowflake cloud storage customers in the recent security breach?
In the recent security breach involving Snowflake cloud storage customers, the specific types of data stolen include sensitive data from Ticketmaster and Santander Bank. The Ticketmaster breach potentially impacted 560 million customers and included records such as names, email addresses, phone numbers, physical addresses, transaction details, and partial payment card information. The Santander Bank breach affected 30 million customers and involved bank account details, account numbers and balances, credit card numbers, and HR information for staff. Additionally, data from LendingTree subsidiary QuoteWizard was also linked to the Snowflake cloud storage accounts used by the companies.
What actions have Snowflake and Mandiant taken to notify and assist the affected customer organizations?
Snowflake and Mandiant have taken several steps to notify and assist the affected customer organizations. They have identified at least 165 Snowflake customer organizations that may have been compromised since the ongoing threat activity was discovered in April. Mandiant, the security firm investigating the data theft alongside Snowflake, has notified these affected organizations. Furthermore, the two companies have engaged in outreach to potentially impacted organizations, urging all customers to enforce Multi-Factor Authentication (MFA) and to set up network policy rules that allow only authorized users and trusted traffic sources to access Snowflake databases12. Additionally, Snowflake has provided instructions for customers to review their accounts for unusual activity and ways to set up account and network policies to prevent similar attacks15.