Cloud Data Security: Top 5 Breaches So Far in 2023
As cloud computing continues to grow in popularity, so too does the importance of cloud data security. In fact, a new report from Infosecurity Magazine found that 63% of organizations have experienced a cloud data breach in the past year.
The report also found that the average cost of a cloud data breach is now $3.86 million. This is a significant increase from the average cost of a data breach in 2022, which was $3.23 million.
This entry covers the top 5 cloud security data breaches and makes recommendations for your organization to address cloud data security issues.
The Top 5
Listed below are the top 5 Cloud data security breaches announced so far in 2023:
In January 2023, T-Mobile disclosed that a data breach had exposed the personal information of over 30 million customers, including names, addresses, Social Security numbers, and driver’s license numbers. The breach was caused by a misconfiguration in T-Mobile’s cloud infrastructure.
This “misconfiguration” was an S3 bucket that was had public access. In other words, anyone who stumbled across this URL (or more likely had a bot looking for open S3 buckets) could read the information held within. Personally, I find these “misconfigurations” unacceptable, more so now than ever. The S3 console practically screams at you that a bucket is public now. There’s literally a big red box with PUBLIC listed on the bucket whenever you access the console. Honestly, AWS can’t do much more. This one is 100% on T-Mobile.
2. Yum Brands
In April 2023, Yum Brands, the parent company of KFC, Taco Bell, and Pizza Hut, disclosed that a data breach had exposed the personal information of over 500,000 employees, including names, addresses, and Social Security numbers. The breach was caused by a phishing attack that targeted Yum Brands employees.
I know, phishing attacks are a tough one. It seems impossible to stop all employees from clicking links in what appear to be a legitimate email domain. I think the days of typos and broken English messages that have been used as dead giveaways are gone. AI has changed the game forever.
In March 2023, ChatGPT, a chatbot development platform, disclosed that a data breach had exposed the personal information of over 100,000 users, including names, email addresses, and chat logs. The breach was caused by a misconfiguration in ChatGPT’s cloud infrastructure.
While not as bad as an open S3 bucket, the ChatGPT “misconfiguration” was a Redis NoSQL database that was open to the public. Is this a problem with the development team? Change Management not performing security reviews prior to deployment?
In March 2023, Chick-fil-A disclosed that a data breach had exposed the personal information of over 250,000 customers, including names, addresses, and payment card information. The breach was caused by a third-party vendor that Chick-fil-A uses to process payments.
Ah, the good old cyber supply chain. It’s getting to the point that suppliers should have to undergo some form of security certification prior to onboarding and through the life of the partnership. In this case, the 3rd party (claimed to be NCR) experienced a phishing attack that lead to compromise. If it was NCR as many claim, you have to wonder how many other companies were impacted. It also goes to show that you can’t trust a company just based on their name.
In February 2023, Activision, the video game publisher, disclosed that a data breach had exposed the personal information of over 500,000 employees, including names, addresses, and Social Security numbers. The breach was caused by a phishing attack that targeted Activision employees.
Again, another phishing attack. Almost like the human is the weak link in the cyber chain, isn’t it? These phishing attacks will continue. In fact, I’d like to propose there are three absolute truths in life now for security leadership: Death, taxes and phishing attacks.
Reasons for the increase in cloud data breaches
The report attributes the increase in cloud data breaches to a number of factors, including:
The growing use of multi-cloud environments, which can make it difficult to track and manage data across multiple providers.
This is a very true statement. The principles of security (such as not exposing data to the entire world for starters) are true in all cloud environments, just like they are for internal systems. The problem arises in the HOW of securing in a particular provider’s platform. This requires both vendor agnostic cloud training (such as CCSK, CCSP, CloudGRC) and platform specific training AFTER the vendor agnostic training is done.
The increasing sophistication of cyberattacks, which are becoming more targeted and sophisticated.
Personally, phishing attacks are nothing new. As stated before though, the game is changing. Scammers are using generative AI such as ChatGPT to craft compelling emails to trick even the most aware staff.
The lack of awareness of cloud security best practices among organizations.
Again, this training MUST be vendor-agnostic training. Vendor training is made by the vendors and they will gloss over known issues on their platforms that don’t follow best practices.
Steps to address cloud data security
The report recommends that organizations take the following steps to improve their cloud data security:
Implement strong access controls and authentication measures.
Both Authentication and Authorization are the new perimeter. This is the absolute first step to cloud data security.
Encrypt all sensitive data.
Encrypting data is all fine and good, but it should be done with a risk-based approach in mind. Then, there’s the question of key management. Do you use the CSP supplied managed keys? Do you bring your own key? Hold your own key? This decision is based on your organizations risk tolerance, so there is no default correct response to these questions.
Regularly scan for vulnerabilities.
This is where the Cloud Security Posture Management System (CSPM) come into play. Major IaaS vendors like AWS, Azure and GCP offer solutions in this space. These can be used to ensure the security of your cloud environment and the systems running inside your cloud environment.
Back up data regularly.
There’s no change here from traditional IT. CSPs will offer solutions for this. Use them!
Train employees on cloud security best practices.
At Intrinsec Security, we’re the best in the biz when it comes to training your staff on cloud security.
Cloud data security is a critical issue for organizations of all sizes. Although one could argue that only 2 of the top 5 “cloud” breaches were actually cloud-based, the findings are clear. Phishing attacks and publicly available data make up the top 5 attacks. Both scenarios require training.
For the “misconfigurations”, Both the CCSK and the CCSP certification training offerings from Intrinsec Security address these issues, as does our exclusive Cloud GRC training. Your organization owes it to your stakeholders to send your IT staff and leadership to this type of training. Our trainers are also consultants. You can have a custom course created for you based on your needs and assessment of your current landscape.
As for the phishing attacks, ANY form of MFA is better than none, but Yubikey (or similar) offers the best protection against phishing attacks. Of course, costs for procuring these keys add up, but considering a cost of the average breach now at $3.86 million for a data breach (and rising), that buys more than 77,000 Yubikeys at a cost of $50 each (all prices USD).