There’s something missing here.

From what the Hudson Rock article shows, they were able to use an SE’s creds to access their demo account. This is not a customer account and shouldn’t (but of course could) contain sensitive info. It’s not clear to me how this snowballed into a larger breach.

Perhaps customers had granted this SE access to their accounts and the data within. Or perhaps there’s a deeper hack. But this isn’t clear to me from what I’ve read.

I was just going to post the same thing. The files that they show in the screenshots are things like PROGRESSIVE_BID_CHANGE_202405271129.csv. Looks suspiciously like the Snowflake Sales Engineer's data for their job role closing a deal with Progressive, not Progressive's own data. And there's no reason to think that a SE would have broad access to customer data. There may be some overlap, but I doubt it contains sensitive customer data owned by Progressive.

You’re thinking “bid” is in reference to Snowflake bidding for progressive as a client?

I’d say thats not likely, I work in fintech and the first thing this filename indicates to me is a CSV feed of market data for bid prices (https://en.m.wikipedia.org/wiki/Bid_price)

This is a common type of dataset a firm would dump into a datalake to use as reference data lookups against other more sensitive data (for pricing trades, etc.)

Something similar happened at a previous employer. Contractor was hired to do a big data PoC, and they managed to cajole access to a prod data dump for a more impactful demo.

They then managed to load all this PII data into an ElasticSearch instance that was open to the internet and was discovered by threat actors.

I wouldn’t be surprised to find that something similar happened here, where an unscrubbed prod dataset was shared for a better demo.

There may have been administrative access that was not properly secured.

No, that sounds about right. This is a new, agile, cloud-first company that grew very quickly and has faced significant turnover. You don't get such growth by doing everything right.

Looking at linked-in, the unlucky employee could be someone in a sales role, with only 7 months of tenure. Every company has a few sysadmins with a scary amount of reach, but that's not what happened here.

Edit: A ServiceNow access request flow with poor internal controls would explain it.

>> This is a new, agile, cloud-first company that grew very quickly and has faced significant turnover.

This is not really true of Snowflake, which is not some 2-person YOLO startup, and it's also pretty irrelevant as the weakest link is often a single employee regardless of the size or industry of the company. In my experience the support and security is way better than average - example: as a client of both Snowflake and Sisense, Snowflake reached out to me about the Sisense breach before Sisense did.

Its support and security posture could very well be better than average. Looking a other breaches (Qlik Attunity, Microsoft AAD, ...) indicates that being better then average is not enough if you're a sufficiently attractive target.

It's not a new tiny company. It's about 12 years old with 7000 employees. They know they are dead if they are not hot on security, so at the moment I would take this story with a big pinch of salt. Quite possible certain customer configurations have been attacked, but that is a different thing.

(new) sales person with an uber account that has access to carte blanche customer data. This is not only a disaster, if true, but also violates probably every certification under the sun, if they had any at all. Reminder Snowflake is a couple of sales persons from Oracle and a techie.

I'm not sure it does, perhaps it violates the spirit but not the letter.

You need a way to give your employees access to customer data; for support cases. So you build a "request access" form in your ITSM. Now you can tick off every box related to certification: There is a process. Only authorized persons have access. Every aspect of it can be audited.

Later, perhaps sales people (the 1000's of new joiners) start using it as well for lead generation. It's a lot easier to sell if you know how your product is used by other companies in the same industry.

Much later, someone's account is compromised, makes the same requests and it gets waved through. Why wouldn't it ? It is a valid request made by a current employee of the company. What other criteria would apply ? This is not a bank.

Aside all things stated that are wrong from security perspective - how about limit the qty and rate any such support account has access to? Breaching an account shouldn't give you access to dump everything out the gate. Even if that is the case, where are other measures alerting there's a stream of egress going on? This sounds like systemic issue which most certs are all about.

> What other criteria would apply?

Many companies have processes that require 2 or more humans in the loop for sensitive prod data.

You're lucky if it's only 2 and the approval process takes less than months.