Did the Snowflake data heist hit mortgage players?

Img

The list of victims of a cybersecurity incident tied to widely used cloud storage provider Snowflake could include mortgage companies, experts say.

The cloud data platform and Google-owned cybersecurity firm Mandiant said they've notified 165 unnamed, potentially exposed businesses. The Montana-based Snowflake wasn't hacked, but cybercriminals used stolen credentials to infiltrate data belonging to companies, which allegedly includes Ticketmaster.

The unidentified threat actors are also auctioning off on cybercriminal forums consumer data from LendingTree subsidiary QuoteWizard, a source told Insurance Journal. LendingTree did not respond to a request for comment Wednesday. 

No mortgage businesses have publicly disclosed an impact from the Snowflake incident. Mortgage technology leaders however don't think the industry is completely immune. 

"Just the fact that the platform is so large and so expansive, I would find it very difficult to believe that there's not at least one lender that uses it," said Matt Lehnen, chief technology officer at Deephaven Mortgage.

Jason Bressler, chief technology officer at United Wholesale Mortgage, suggested many mortgage companies use Snowflake.

"It has the probability and the possibility to become the largest cybersecurity breach in corporate America history," he said.

Both CTOs said their businesses don't use Snowflake. Mortgage firms are already reeling from a spate of cybersecurity incidents in the past 12 months that have affected millions of consumers and cost millions of dollars to address.

Mandiant in its lengthy notice with Snowflake attributed the criminal conduct to a "financially motivated threat actor" attempting to extort victims in activity beginning in April. Hackers reportedly obtained credentials via malware from contractors which clients used to assist with their use of Snowflake.

Impacted accounts did not have multi-factor authentication enabled, and some compromised accounts had the same login since their theft as far back as 2020, the report said. 

Snowflake has not disclosed the extent of the data theft. A representative for the company Wednesday responded to a list of questions with a link to Snowflake's updates on its investigation.

The hackers, identified in the Mandiant report as "UNC5537" are operating under aliases on social media platform Telegram and other cybercrime forums. The criminals are based in the United States, and at least one collaborator is based in Turkey, Mandiant stated with moderate confidence. They're allegedly storing stolen data on international virtual private servers and file hosting service Mega.

Michael Nouguier, chief information security officer and director of cybersecurity services at Richey May, said Snowflake as a data management leader failed to show leadership in enforcing stronger cybersecurity controls.

"The concept of opt-out security is not being leveraged here," he said. 

Nouguier compared opt-out security to opt-in security, where users are responsible themselves for enacting measures such as MFA. He pointed to GitHub, the popular developer platform, as an example of a prominent industry platform which implemented MFA requirements.

Snowflake in its updates said it's now developing a plan to require customers to use MFA or network policies, another cybersecurity measure. 

Jim Routh, chief trust officer at technology firm Saviynt, also predicted the Snowflake incident will impact many businesses. He said companies, particularly cloud software providers, have elected to stick with user ID and password credentials rather than advanced authentication options because of a "limited marketplace pressure" to move off them. 

"Passwords have served the industry well for over sixty years, but they weren't designed for use across hundreds of digital assets that many digital consumers and employees need," he said in an email. "The results include consumers and users that select the same password for many digital assets increasing the impact when credentials have been compromised."


More From Life Style