How Good Cloud Security Operations Could Have Prevented 5 Famous Data Breaches

“Why rob banks? Because that’s where the money is.” US bank robber “Slick Willie” Sutton might not have coined this saying, but it’s still true. People have gone to great lengths to rob banks, from digging long tunnels, to holding people hostage, to spraying alarm systems full of surf-board foam. As our lives become increasingly more virtual, all that determination and creativity has found a new outlet in the form of digital attacks. Why breach company systems? Because that’s where the data is. 

IBM’s annual Cost of a Data Breach Report revealed that in the US the average cost of a data breach is $9.4 million, and the financial consequences can be particularly acute for small and midsize businesses. In one study, companies with less than 500 employees suffered losses of more than $2.5 million on average—a potentially crippling amount for small businesses, which typically earn $50 million or less in annual revenue. And then there’s the long tail financial impact. Ongoing losses over the subsequent years compound the financial impact of a data breach, often matching or even surpassing the initial loss. The IBM study also points out that attacks are on the rise, saying, “For 83% of companies, it’s not if a data breach will happen, but when. Usually more than once.”

But it’s not all bad news. Much can be done to prevent data theft and mitigate the aftermath. Here we will examine five companies that were breached, and how good CloudOps could have prevented much of the damage. 

1. Crypto.com’s Breached Wallets

On January 17, 2022, hackers targeted approximately 500 cryptocurrency wallets and made off with over $30 million in cryptocurrencies. The hackers were able to circumvent 2-factor authentication, leaving accounts protected by only a password.

What could have helped: Robust Data Encryption 

A well-trained ops team may have run threat-modeling exercises to determine how such circumventions of security measures might occur and eliminate the vulnerabilities. Threat modeling involves systematically analyzing and identifying potential security risks and vulnerabilities that may exist within a website or online application, evaluating their potential impact and likelihood, and then devising appropriate countermeasures and safeguards to mitigate those risks.

Additionally, when cloud infrastructure services are used to their full advantage, they provide strong encryption capabilities to protect data at rest and in transit. Encryption ensures that even if unauthorized individuals gain access to the data, they cannot understand or use it without the encryption keys. This safeguards sensitive information from potential breaches and unauthorized access.

2. Marriott Hotels’ Trojan Encounter

In September of 2018, it was discovered that a remote access Trojan—a type of malware that lets hackers secretly access, monitor, and even control a computer—was used by cybercriminals to steal approximately 500 million records from Marriott Hotels, among them sensitive credit card information and passport numbers. By May 2019, the costs associated with the data breaches had amounted to $72 million. 

What could have helped: Advanced Network Security

Sophisticated network security measures, such as firewalls, intrusion detection systems, and distributed denial-of-service (DDoS) protection monitor network traffic, identify and block suspicious activities, and defend against malicious attacks.

Marriott’s weak link was an older, virus-infected system that had come with the acquisition of Starwood Hotels and Resorts. By failing to integrate or update the Starwood system, they left the door open to attack.

During transitions of technical teams, it’s important that security be given a top priority and that staffers responsible for the transition have the experience necessary to identify and mitigate problem areas.

Also, it’s important to run continuous security audits. This involves conducting a comprehensive examination of your system's design, implementation, and infrastructure to identify any potential security weaknesses, vulnerabilities, or misconfigurations.

3. The City of Baltimore’s Ransomware Shutdown

The City of Baltimore experienced a ransomware attack in May 2019 that took down its voicemail, email, and other vital systems that its citizens use on a daily basis. The attackers used a popular ransomware program called RobbinHood (sic) that scans computer systems for vulnerabilities. In a digital ransom note, the attackers demanded about $100,000 in Bitcoin for the key to unlock the data. This is small change compared to what Baltimore estimates the ransomware attack will cost the city to restore systems and make up for lost or delayed revenue, something to the tune of $18 million. 

What could have helped: Data Redundancy and Disaster Recovery

The impact of a ransomware attack can be greatly mitigated by encrypting data and maintaining secure cloud backups. If a computer suffers from a ransomware attack, everything can be erased, vulnerabilities can be fixed, and the lost data can be restored within an acceptable period of time. There’s no risk of data being exposed and there’s no need to pay to recover the data.

Operations teams should be trained on disaster recovery best-practices that not only cover a worst-case scenario, but also account for important redundancy of critical systems and the data maintained within.

4. Cash App’s Breach from Within

In April 2022, Cash App admitted that a disgruntled former employee had compromised their systems. The data breach involved customer names, stock trading information, account numbers, and portfolio values, amongst other sensitive financial information. The former employee had gained access via login credentials that were still active, even though he was no longer employed. 

What could have helped: Centralized Security Management

Centralized security management tools allow organizations to centrally monitor and manage security policies, access controls, and user permissions. This centralized approach streamlines security administration, ensuring consistency and reducing the chances of misconfigurations or human errors that could lead to security vulnerabilities. 

Automation connected to HR records could have deleted the employee’s permissions the moment his employment ended. Teams proficient in the automation potential of most large cloud services providers would have had the tools needed to implement such a system. Even where automation is prohibitively complex, documented security procedures and policies could have prevented the incident.

Regardless of the potential to implement automation in this regard, scheduling frequent audits of access and permissions for your users can also help you identify problems, and eliminate them.

5. Ronin’s Massive DeFI Hack

Players of Ronin’s Axie Infinity game can gain non-fungible tokens (NFTs), a type of digital collectible stored on a public blockchain typically associated with a digital currency (crypto-currency). In 2020, as the game’s popularity grew, the company scaled back its security standards so that its servers could accommodate a larger audience. They effectively outsourced a portion of their security to a third party, which became compromised and allowed hackers to steal $625 million in cryptocurrencies, the largest hack in DeFi (de-centralized finance) history. 

What could have helped: Proactive Security Measures

Investing heavily in security expertise and continuously updating security protocols would have helped address this threat as it emerged. Ronin’s third-party didn’t have real-time monitoring—or monitoring of any kind—as evidenced by the fact that the hack went undetected for a week, only coming to light when a customer complained that they couldn’t withdraw their currency.

Cloud ops specialists can leverage log collection and analysis tools such as those provided by AWS CloudWatch, DataDog, or similar to target suspicious patterns when data is transmitted into and out of your systems. Once identified, these patterns can be used to surface alerts to your team’s communication tools. They can also be used to kick off processes that automatically disable affected areas of the system, or exclude access for users related to the suspicious activity.

The big lesson here: never compromise your security standards, and empower your operations teams with metrics and alerting tools that can identify suspicious patterns emerging from your systems. As the system scales, attention should be continuously given to emerging vulnerabilities. 

Ensuring Cloud Security: The Importance of Best Practices

While it is true that nearly half of all data breaches happen in the cloud, cloud infrastructures are not inherently insecure. They are simply only as good as the team managing them. To get the very best out of your cloud solution, you need experts tuning and optimizing your security and privacy.

All the preventive measures stated above can be boiled down to two words: best practices. Continuous monitoring, threat modeling, regularly updating security protocols, encrypting data, maintaining secure backups, and enforcing strict access controls are just a few. At TSG, our security experts are well-versed in the operations potential of common cloud technologies and are motivated to perform due diligence when it comes to security.