State secrets. Crown jewels. The Neiman Marcus chocolate chip cookie recipe. Since time immemorial, people have longed for restricted and coveted assets. And there are always the few among them who will stop at nothing to get access to the inaccessible.
Sensitive and valuable data stored in SaaS systems is no exception. Headlines about the SaaS data breaches of large, well-known companies are no longer surprising. And if Microsoft, Dropbox and Disney can have their SaaS data breached, what does that mean for you?
What is a SaaS Data Breach?
A SaaS data breach is when individuals gain unauthorized access to sensitive or confidential data stored in cloud-based software services. As soon as the data is accessed, a breach can be said to have occurred, but further negative impact to the data may be part of or follow in the wake of the breach. Such negative impacts include data theft, exposure, deletion, corruption or disruption to legitimate access of the data.
Common Causes of SaaS Data Breaches
SaaS data breaches come in many flavors: all of them distasteful. Attackers can and will use methodologies that include:
- Hacking: using technical means to gain unauthorized access to SaaS systems, such as exploiting software vulnerabilities
- Physical Theft: stealing a physical device that can access corporate SaaS systems
- Social Engineering: manipulating individuals into disclosing SaaS access information or sharing assets through tactics like phishing, pretexting or baiting
- Insider Threats: using legitimate access to an organization’s SaaS systems (as an employee, contractor or partner) to expose or steal the organization’s data
Sometimes insider threats are not generated by an “attacker,” but rather by human error. Misconfiguring SaaS systems or setting access permissions that are wrong or too wide can cause a SaaS data breach that wasn’t anyone’s intention.
How to Detect a SaaS Data Breach
SaaS data breach detection strategies differ somewhat depending on whether the breach is caused by an outside threat actor or by an insider threat. An insider who is misusing their privileges (or even a threat actor that through social engineering or otherwise has succeeded in obtaining legitimate insider credentials) will be much harder to detect, because employees, partners and other inside users often do have to access and interact with your sensitive data as part of their business role.
Detection strategies that are valuable no matter who the threat actor is include:
- Anomalous user behavior detection: monitor for unusual patterns of logins, SaaS app access, or interaction with SaaS assets. “Unusual” should be determined in reference to the behavioral benchmarks of the user in question: how they usually login, access and interact with your data assets. This will differ from user to user, or from user group (like a business department) to user group.
- Data loss prevention tracking: define and classify your company’s sensitive data. Monitor data asset interaction for unusual patterns of downloading, sharing, modification or otherwise.
- Admin account activity inspection: threat actors often target admin accounts. Monitor your admin account activity logs for escalated privileges, or changes to data security policies
- Configuration change monitoring: check for changes to SaaS configurations, permissions, or security and privacy settings.
Detection strategies focused on outside threats include:
- API call tracking: hackers and/or malicious SaaS apps often exploit API vulnerabilities to gain access to your SaaS ecosystem. Monitor SaaS APIs for any abnormal requests or usage patterns.
- Intrusion Detection Systems (IDS): IDS solutions scan for known malware signatures, suspicious patterns, or vulnerabilities. Implementing these solutions can help detect a breach that leverages malware or other technical means of intruding into your SaaS systems.
Consequences of a SaaS Data Breach
No SaaS data breach comes without consequences, but the nature and severity of the consequences vary based on the cause of the breach, its impact on your data and how you responded to it when it happened.
Consequences include:
- The loss of strategic advantage that comes from having Intellectual Property or business strategy documents lost or exposed
- Bad decisions made based on data that was corrupted as a result of the breach
- Disruption of business, if legitimate users are unable to access the data they need to do their jobs
- Non-compliance with regulatory standards (such as GDPR, HIPAA) and the penalties that are levied for non-compliance
- Reputational damage that makes current or potential customers disinclined to do business with you
How to Prevent Data Breaches
The best way to deal with a SaaS data breach is to never have it happen in the first place. While that is easier said than done, there are certainly prevention strategies and practices that go a long way toward keeping data breaches at bay.
Important SaaS data breach prevention strategies include:
Monitoring for SaaS configuration drift
Ensuring that your SaaS configurations are secure is the low-hanging fruit of preventing SaaS data breaches. It’s not always easy to manually make sure all the configurations are secure (sometimes exactly where all the settings are isn’t clear), and it’s definitely not easy to make sure they stay that way. Configuration drift is just a reality of a fast-moving, constantly-updating environment.
Any SSPM (SaaS Security Posture Management) solution should include a misconfiguration detection and management tool that can continually monitor whether your SaaS configurations align with industry recommendations, and alert you or correct the situation if anything goes awry.
Aiming for near real-time detection and alerts
Speaking of fast-moving, constantly-updating environments brings up the need for data breach detection that moves as fast (or, at least, almost as fast) as your data. 100% accuracy in breach detection won’t help if the data is long gone or irreversably exposed.
While real real-time detection - that which can spot a problem before it happens and stop it - isn’t possible in SaaS without clogging the system and disrupting productivity, near real-time detection is. Advanced data loss prevention systems that use multiple methods of identifying potential data loss, and receive information from SaaS systems as soon as any data interaction occurs, can detect risks within seconds and remediate or alert.
Implementing automated remediation workflows
Alerts are important, but if the recipient of the alert is asleep for the night - or even on a coffee break - your data thief may get away. Automated remediation workflows that can take immediate action to remove permissions, block shares or temporarily disable user accounts can be what makes the difference between an issue you need to look into and an emergency you need to spend days or weeks getting under control.
A SaaS Data Breach Response Checklist
If your organization’s SaaS environment has been breached, the ability to respond promptly and tactically is essential. We’ve put together an emergency response checklist in two sections. We hope you never have to use it.
Dealing with the Cause of the Breach
- Disable any compromised accounts and user identities
- Change all relevant passwords, keys, tokens and other secrets
- Investigate the point of entry/attack method of the threat actor
- Fix any security vulnerabilities uncovered in the investigation
- If the breach happened as a result of a SaaS provider or a third-party, discuss what steps they are taking to prevent this in the future - and, according to that, evaluate the continuation of your business relationship with them
Dealing with the Impact of the Breach
- Determine the extent of the breach: exactly what data was compromised? Was it exposed, exfiltrated, corrupted, or otherwise?
- Determine what mitigation efforts are required to limit the impact of the breach on those whose data was compromised (e.g. credit monitoring, identity theft protection)
- Inform affected customers, employees, and third parties of the breach, detailing what information was compromised, any potential risks to them and the assistance you plan on extending to them
- Notify relevant regulatory bodies (e.g. GDPR, CCPA) about the breach within the required time frame to comply with data protection laws.
The Federal Trade Commission (FTC) has an excellent resource here that includes detailed steps and even the text of the notification you can send to your customers to let them know about the data breach and what you’re doing about it.
Examples of Major SaaS Data Breaches in 2024
2024 has seen a number of major SaaS data breaches:
In July 2024, entertainment giant Disney had 1.1 TB of data from almost 10,000 channels on its developer Slack made public on the internet, including 44 million Slack messages, over 18,800 spreadsheets and more than 13,000 PDFs. The Disney Slack breach was the work of hacker group NullBulge, claiming help from a Disney insider.
The impact? In an August regulatory filing, Disney said it didn’t expect any operational or financial consequences of the breach. But in light of the fact that the leaked data included detailed revenue figures that hint at Disney business strategy, as well as PII from Disney staff and guests, one has to wonder.
In April 2024, hackers stole customer data from Dropbox Sign, Dropbox’s esignature platform, by exploiting configuration vulnerabilities. Data taken included customer email addresses, usernames, phone numbers, hashed passwords, authentication tokens and MFA keys.
The impact? With this type of data exposed, there is a significant risk that the threat actors will use it for phishing attacks, identity theft and gaining access to other online accounts and applications. Dropbox took action to remediate the situation as best as possible, including resetting passwords, logging out sessions and requiring API rotation, as well as warning affected users about their increased security risk and how to best manage it.
At the beginning of 2024, Microsoft fell victim to a data breach by Russian state-sponsored actors Midnight Blizzard. Through a legacy, non-production test tenant account lacking MFA and the use of OAuth apps, they were able to move into Microsoft’s production environment and compromise their corporate email accounts.
The impact? Exposure of private corporate emails, some of which contained exploitable secrets, others which could be used for phishing attacks and expanded access to targets. The shockwaves have continued for months, with Microsoft informing widening circles of corporate clients about exposure and exfiltration of their emails.
FAQ
What should I do if my SaaS provider experiences a data breach?
If your SaaS provider experiences a data breach, first assess whether your data was compromised and immediately communicate with the provider for details. Secure your accounts by resetting passwords and enabling multi-factor authentication (MFA). Review any shared data or access permissions, and revoke any unnecessary ones. Notify your internal security team, affected customers, and regulatory authorities if necessary. Monitor for suspicious activity in your systems, and consider legal advice for compliance and liability concerns. Finally, re-evaluate the provider's security measures and consider alternative solutions if their security practices are inadequate.
Are SaaS platforms more vulnerable to data breaches?
SaaS platforms can be more vulnerable to data breaches due to their cloud-based nature, which makes them accessible from anywhere via the internet. This broad accessibility increases the attack surface, making them attractive targets for cybercriminals. Vulnerabilities in APIs, insufficient user authentication, and misconfigured settings can further heighten risks. However, with strong data and identity security practices, along with advanced SaaS security posture management tools, you can mitigate these vulnerabilities when it comes to the use of SaaS platforms.
How can encryption help prevent SaaS data breaches?
Encryption helps prevent SaaS data breaches by converting sensitive data into unreadable code, ensuring that even if unauthorized individuals gain access, they cannot decipher it without the decryption key. It protects data both in transit (while being transmitted over the internet) and at rest (when stored on servers), reducing the risk of exposure during breaches. Strong encryption protocols, combined with secure key management, are crucial for safeguarding sensitive information in SaaS environments.
Meet DoControl - The #1 Multi-Layer SaaS Security Solution
DoControl was designed expressly for the multiple layers and attack surfaces of SaaS: data, identities, configurations and connected apps. Each of those must be fully secured in order to protect you against SaaS data breaches.
DoControl’s Data Access Governance and Data Loss Prevention secure your data all across your SaaS ecosystem. Advanced data classification methods mean that no sensitive data goes undiscovered, and automated workflows mean that any detected threat can be mitigated in near real-time.
DoControl’s Identity Threat Detection & Response (ITDR) and Insider Risk Management secure your user identities, protecting you from external threat actors or insider threats. Behavior benchmarking for individuals and groups, along with important contextual information from HRIS, EDR and IdP systems enable smart differentiation between normal business activity and suspicious actions.
DoControl’s Shadow App Discovery & Remediation secure your third-party OAuth connected apps by monitoring app behavior and removing unnecessary apps and app permissions.
DoControl’s SaaS Misconfiguration Management secures your admin configurations, checking them against industry standards like CIS and offering remediation guidance.
Keep Your SaaS Secrets Secret
Your sensitive and confidential data should remain that way. This post has covered SaaS data breach prevention, detection and response. But it’s up to you to take action, to find the right tools and implement them for true protection against SaaS data breaches.
.png)