SaaS Provider Attack – Hacker Compromises AWS Access Keys Through Corporate Devices

Introduction

In a recent security breach, a SaaS company’s AWS access keys were compromised, granting a hacker unauthorized access to both production and non-production environments in the North America region. These access keys were stored on corporate devices issued to employees, leading to a significant security lapse. This case study explores the details of the attack, its immediate consequences, the response measures taken, and the key learnings from the incident.

The Attack: How It Happened

The breach occurred when a hacker gained unauthorized access to AWS access keys stored on corporate devices issued by the SaaS company. These keys provided access to the company's cloud infrastructure, allowing the hacker to penetrate both production and non-production environments in the North America region. Although the breach was significant, no personally identifiable information (PII) was compromised due to the company’s stringent encryption protocols. The attack primarily affected newly hosted customers in the North America region, with no impact on the broader customer base.

Consequence: The Immediate Impact

The consequences of this breach were contained due to several factors:

• Compromised Access Keys: AWS access keys stored on corporate devices were used by the hacker to access the company’s cloud infrastructure.

• Data Security: All data remained encrypted, preventing the hacker from accessing any PII.

• Limited Customer Impact: The breach affected only newly hosted customers in the North America region, leaving the major customer base unaffected.

Response: Steps Taken to Mitigate the Damage

Step 01: Implementing Security Measures

Upon detecting unusual activity in the AWS environment, the client immediately implemented Two-Factor Authentication (2FA) and rotated all access keys, including API and AWS keys. This quick response helped contain the breach and prevent further unauthorized access.

Step 02: Incident Reporting to Insurer

Six days after the incident, the client informed their insurer’s team. By this time, the compromised keys had been identified, and key rotation and malware scanning measures were already underway.

Step 03: Migration and Enhanced Security

The client migrated affected customers from the compromised server to a new, secure environment. Additional security measures were implemented based on recommendations from cybersecurity experts to further protect the company’s cloud infrastructure.

Step 04: Ensuring System Integrity

The client ensured that all systems were sanitized and free from infection. No data exfiltration was detected, thanks to the strong encryption protocols in place. The final claim was settled, covering the costs of cybersecurity and legal professionals involved in the response.

The Cost: Financial and Operational Implications

The total cost of the incident was fully covered by the insurer after agreed-upon deductions. The company filed a claim for INR 2 crore, and after a deductible of INR 50 lakh, the insurer paid out INR 1.5 crore to cover the expenses incurred during the response and recovery process.

Learnings: Key Takeaways for the Industry

• Multi-Factor Authentication (MFA): This incident reinforces the importance of implementing multi-factor authentication and maintaining good password hygiene to prevent unauthorized access.

• Data Encryption: The use of strong encryption protocols ensured that no PII was compromised during the breach, highlighting the importance of encrypting sensitive data.

• Prompt Incident Response: Quick detection and response to unusual activity were crucial in containing the breach and minimizing its impact.

• Value of Cyber Insurance: Despite robust security measures, human errors can lead to breaches. Cyber insurance plays a critical role in covering the financial losses associated with such incidents. Working with an experienced insurance broker can make a significant difference in the claim payout process.