Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersCircleEventsBlog

Unpacking the 2024 Snowflake Data Breach

Published 05/07/2025

Home
Industry Insights
Unpacking the 2024 Snowflake Data Breach

CSA’s Top Threats to Cloud Computing Deep Dive 2025 reflects on eight recent real-world cybersecurity breaches. The report presents each incident as both a detailed narrative and as a threat model with the relevant cloud security risks and mitigations.

Today we’re taking a closer look at the first incident covered in the Deep Dive: Snowflake 2024. This incident features an Advanced Persistent Threat and insufficient Identity and Access Management. The takeaways from this case study can be used to improve your own response to critical threats.

 

In 2024, Mandiant tracked UNC5537, a financially motivated threat actor. They had stolen a significant volume of records from Snowflake customer accounts and extorted the breached organizations.

The threat actor allegedly acted under the pseudonym “Judische” or “Waifu.” They were allegedly a 26-year-old software engineer living in Ontario, Canada, as per Krebs on Security. They also seemed to operate with close associates on hacker forums to exploit the exfiltrated data.

The threat actor used Snowflake account credentials previously stolen via infostealer malware to access customers' Snowflake instances. The consequent extortion of affected companies led to direct financial losses and illicit gain upwards of $2 million USD. This attack appears to have affected hundreds of Snowflake customers and customer data. Known victims of the attack include AT&T, Ticketmaster, and Santander. 

This incident is an example of CSA's Top Threat #11: Advanced Persistent Threats (APTs). APTs are sophisticated adversaries, including nation-state actors and organized criminal gangs. APT attacks tend to be long-term campaigns targeting sensitive data and resources.

Additionally, insufficient identity, credentials, key, and access management (Top Threat #2) enabled the attacker to gain access. Identity and Access Management (IAM) controls are crucial to ensure individuals can access allowed resources only after proving who they are. This system is pivotal in defining and managing user roles and privileges.

Key components like user authentication, authorization, single sign-on (SSO), multi-factor authentication (MFA), and activity monitoring are integral to IAM’s effectiveness. The lack of baseline authentication security measures helped make the Snowflake breach possible. This included a notable lack of conditional access or rotation of access credentials. 

 

Technical Impacts

  • Confidentiality: Breached organizations’ confidential information was exfiltrated and, in some cases, leaked to the public or hacker communities.
  • Compliance: Snowflake acted to meet regulatory obligations to disclose the breaches in financial reporting (SEC filing). They also chose to inform affected customers. Breached organizations similarly acted on disclosure obligations. In at least two cases, 8-K forms filed with the SEC detailed accounts of the breaches and their impacts.
  • Data Breach: Unauthorized access to data and theft of data took place. These data breaches continue to affect business strategies, reporting, performance, and the brand association of the companies.
  • Threat Operation: The attackers advertised the breached organizations’ data for sale on cybercrime forums. This exposed victims to further extortion attempts and contributed to loss of trust.

 

Business Impacts

  • Financial: Companies reported up to $3 million USD of non-material financial consequences. However, material impacts on equity and stock prices of affected companies were not evident. Some of the affected companies were subject to data extortion and elected to pay, resulting in further financial losses.
  • Operational: Breached organizations engaged specialized incident response teams, such as Mandiant. This significantly increased their investments in advanced threat containment, forensic investigations, and proactive recovery strategies. They also strengthened security infrastructures to mitigate ongoing risks and prevent recurrence. Snowflake conducted a joint investigation with Mandiant into new product strategies and controls. 
  • Reputational: The repeated association of Snowflake’s brand with high-profile data breaches is likely to impact customer trust. This association will also diminish market confidence and influence future procurement decisions and investor perceptions, potentially affecting long-term competitive positioning.

 

Preventive Mitigation

  • Strong Authentication: Implement and evaluate appropriate measures to prevent unauthorized access to systems, applications, and data assets. This includes multifactor authentication for privileged user and sensitive data access. 
  • Network Security: Restrict communications between environments and sensitive data systems to only authenticated and authorized connections and networks, as justified by the business. Consider restricting internet access to internal data stores using allow lists and other means.
  • Data Protection by Design and Default: Develop systems and business practices based on security by design principles. For example, consider the situation of designing authentication for a data store. You must integrate controls that protect against the likely failure of users to implement their two-factor authentication.
  • Anti-Malware Detection and Prevention: Apply and maintain measures to protect against malware on managed assets. 
  • Data Loss Prevention (DLP): Employ DLP technologies and rules in accordance with a risk assessment.
  • Least Privilege: Employ the least privilege principle when implementing information and data systems access.

 

Detective Mitigation

  • Security Monitoring and Alerting: Continuously identify, monitor, and correlate security-related events across applications, networks, and underlying infrastructure. Leverage automated analytics and real-time threat intelligence integrations to enhance anomaly detection and expedite incident response. 
  • Detection of Baseline Deviation: Implement detection measures with proactive notification in case of changes deviating from the established baseline. This includes two-factor authentication for critical systems and data access.
  • Audit Logs Monitoring and Response: Detect activity outside typical or expected patterns and take timely actions on them.
  • Incident Management: Establish and maintain an incident response plan to promptly identify, respond to, limit, analyze, and report incidents.

 

Corrective Mitigation

  • Security Breach Notification: Define and implement processes, procedures, and technical measures for security breach notifications. Report security breaches, including any relevant supply chain breaches, as per applicable SLAs, laws, and regulations.
  • Supply Chain Data Security Assessment: Define and implement a process for conducting security assessments periodically for all organizations within the supply chain.
  • Vulnerability/Patch Management: Implement and maintain a documented vulnerability management process to address the discovery, reporting, and remediation of vulnerabilities.

 

Key Takeaways from This Incident

  • Baseline configuration, identity security, and access controls continue to dominate as effective controls in common and advanced breach cases.
  • Review and implement the shared responsibility model. Cloud users ought to understand and practice their responsibility over the security measures in their control. They must protect the sensitive data they put into cloud services.
  • Vendors have a responsibility to create and promote the use of safe configurations and security controls in their service. Secure defaults and the path of least resistance for sensitive cloud services, such as data stores, should be safe and secure. Security teams should flag and contain exceptions and abuse.

 

Cover of Top Threats to Cloud Computing Deep Dive 2025Interested in reading about other recent cyber incidents? CSA’s Top Threats to Cloud Computing Deep Dive 2025 analyzes seven other recent cloud breach cases. Get a detailed breakdown of the recent Football Australia, CrowdStrike, Toyota, DarkBeam, Retool/Fortress, FTX, and Microsoft incidents. This breakdown includes an:

  • Attack detail
  • Description of the threat actor
  • List of associated threats and vulnerabilities
  • Evaluation of the technical and business impacts
  • Relevant Cloud Controls Matrix (CCM) controls to use in mitigation
  • Key metrics and takeaways
Cloud Incident ResponseIdentity and Access ManagementTop ThreatsVulnerabilities

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Register for the Free Virtual Summit on June 5th
Share Your Insights in this Open Survey for Cloud & Hybrid Security
CrowdStrike CEO George Kurtz Receives 2025 Philippe Courtot Award
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Level up with Cloud Infrastructure Security Training
Related Articles:
Cybersecurity for SMBs: Statistics and Threats You Can’t Afford to Ignore

Published: 05/08/2025

Building Identity Resilience for the Front Lines of Disruption

Published: 05/07/2025

Why MFT Matters for Enterprise Compliance and Risk Reduction

Published: 05/05/2025

Bridging the Gap: Using AI to Operationalize Zero Trust in Multi-Cloud Environments

Published: 05/02/2025