They may be called snowflake accounts, but the latest spate of cyber attacks this summer on these accounts have resonated more like a snowstorm on the organizations that have been impacted. Snowflake, in a June 2 joint statement with CrowdStrike and Mandiant, said attackers used stolen username and password pairs to breach Snowflake accounts for which administrators hadn't enabled multi-factor authentication (MFA). As part of this campaign, threat actors leveraged credentials previously purchased or obtained through info-stealing malware. Snowflake is a Montana-based data platform and warehouse that provides data storage, processing and analytic solutions. Snowflake CISO Brad Jones said on Saturday, June 1 that while they only became aware of the potentially unauthorized access to certain customer accounts on May 23, they observed threat activity back to mid-April.
The breach of Snowflake accounts appears to have affected about 165 customer accounts of well-known organizations across a wide range of industries. Victims include Live Nation Entertainment's Ticketmaster, Santander Bank, automotive parts supplier Advance Auto Parts, the Los Angeles Unified School District, AT&T and luxury retailer Neiman Marcus. Mandiant told Bloomberg that it is aware of up to 10 Snowflake customers that have received ransom demands of $300,000 to $5 million each from the attackers. It is not clear whether any of the organizations impacted have paid the ransom demands.
These attacks once again highlight the importance of MFA and proper access controls, which according to the Mandiant investigation, were not implemented. MFA is an identity verification method that enhances security by requiring users to provide multiple pieces of evidence to prove their identity.
It is now quite rare for organizations to be able to procure cyber insurance without evidence that MFA and proper access controls are in place, but assuming the impacted organizations did have cyber insurance, there would be several first party and third-party coverages available.
To start, these organizations would likely have coverage for data breach expenses, including but not limited to costs incurred to complete a forensics investigation, to hire a law firm to evaluate and execute notice obligations, to hire a public relations firm and to restore data that has been comprised. There would further be cyber extortion coverage available should the organization determine that paying the threat actor’s ransom demand to recover their data is the best course of action. Finally, and possibly most significantly, insured organizations would be able to tap their business interruption coverage for lost income and extra expenses incurred during the time their business and or network is down due to the attack.
While no changes to underwriting processes have been implemented in the immediate aftermath, the event comes at a time when the insurance market was just starting to see a pullback on what was being asked of clients in submissions. As these matters continue to unfold there certainly could be a pivot back to more scrutiny around whether a company has MFA and the necessary access controls in place. Additionally, another potential impact from the Snowflake event could be underwriters charging more premium on those accounts where companies do not have MFA fully implemented across their networks.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
