The Weekly Breach Breakdown: Ticketmaster to Ride – Latest on the Snowflake Customer Attacks

• A recent Ticketmaster data breach impacted an estimated 560 million people around the world. Soon after, others like Advance Auto Parts, European bank Santander and a subsidiary of LendingTree announced they suffered similar attacks.
• So far, cybersecurity provider Mandiant has identified 165 organizations that have had their cloud databases compromised. All of the organizations impacted are customers of the cloud computing platform Snowflake that did not require the use of multi-factor authentication (MFA).
• Forensic cybersecurity experts say there is no indication Snowflake’s cybersecurity failed or was penetrated using some form of malware. Rather, the Snowflake customer attacks were the result of businesses choosing not to use MFA when configuring their accounts.
• It’s fair to ask why technology providers don’t force higher levels of data protection. However, until they do, account users need to turn on MFA and businesses should require the use of MFA. Better yet, they should add the ability to replace passwords and MFA with passkeys.
• To learn about the latest data compromises, consumers and businesses should visit the Identity Theft Resource Center’s data breach tracking tool, notified. 
• If you believe you are the victim of an identity crime, call or text toll-free at 888.400.5530 or live chat on our website, idtheftcenter.org.

Ticketmaster to Ride

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for June 21, 2024. Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we examine the Snowflake customer attacks, in particular, the Ticketmaster data breach.

We’re rapidly approaching the mid-way point of the year when we publish a look at the data breach trends so far in 2024. That’s not this episode. However, what we talk about today will have a big impact on what we do talk about in July. That’s because there are a series of cyberattacks leading to data breaches underway that may turn out to be one of – if not the largest – coordinated supply chain attacks in history.

You may have heard about one of the brands impacted by this attack – and that’s why we’re calling this episode (with apologies to the Beatles) …A Ticketmaster to Ride.

Ticketmaster Data Breach

Last month, Ticketmaster’s parent company confirmed that one of its cloud databases was compromised by identity criminals who accessed information on an estimated 560 million people around the world. We don’t know yet how many U.S. residents have been compromised by the Ticketmaster data breach. However, some industry experts estimate that about 85 percent of Ticketmaster users are in the U.S. – putting the potential number of U.S. victims in the hundreds of millions of people.

Other Recent Data Breaches

Soon after Ticketmaster’s announcement, other brands including Advance Auto Parts, European bank Santander and a subsidiary of LendingTree all revealed they too had been caught up in a similar attack. So far, cybersecurity provider Mandiant has identified 165 organizations that have had their cloud databases compromised.

What Happened? (And is Likely Still Happening)

So far, all of the organizations impacted are customers of the cloud computing platform Snowflake. More specifically, they are all Snowflake customers who did not require the use of multi-factor authentication (MFA), making it easy for threat actors to use stolen login credentials to access accounts, and then steal personal information from the database.

Forensic cybersecurity experts are quick to point out there is no indication Snowflake’s cybersecurity failed or was penetrated using some form of malware. Rather, the Snowflake customer attacks were the result of businesses choosing not to use MFA when configuring their accounts. Login credentials were either acquired in an identity marketplace where data breach information is sold or shared, or the logins and passwords were captured by login stealing malware triggered in a phishing or other cyberattack.

Why Are There Not Higher Levels of Data Protection?

With that said, those same cybersecurity experts are not ready to let Snowflake or any other company that does not mandate robust cyber protections off the hook. With hundreds of millions of individuals at risk of identity misuse around the world, the question now is – why don’t technology providers force higher levels of data protection?

That’s a legitimate question to ask at a time when more states are passing mandatory cybersecurity requirements as part of comprehensive privacy and data security laws. Congress, as we’ve discussed recently, is also considering minimum data protection standards.

Until your state requires robust cybersecurity or there is a national standard, there are steps you should take to ensure your information is safe. That goes for businesses of all sizes, too, when it comes to safely storing customer data in a cloud.

Account Users and Businesses Need to Use MFA

At a minimum, turn on MFA as an account user. If you’re the business, make MFA mandatory, not optional, for your customers and your employees. Better yet, add the ability to replace passwords and MFA with passkeys. Passkey credentials cannot be stolen or self-compromised because they never leave the customer’s device. The token needed to access an account is never stored in a database that can be compromised and the user never sees it, so there is nothing to remember or accidently share with a criminal.

If your cloud provider doesn’t offer those levels of protection, look for one that does. Everyone has a role to play in protecting personal information. Businesses are responsible for protecting the data shared with them, and we as individuals, are also responsible for selecting businesses that will treat our data with the respect it deserves. If they don’t, be ready to take your business to one that does.

Contact the ITRC

If you want to know more about how to protect your business or personal information or think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. Be sure to check out our sister podcast, the Fraudian Slip, next week when we review the annual trends revealed by the victims who contact us each day. We will return in two weeks with another episode of the Weekly Breach Breakdown.