Dive Brief:
- Advance Auto Parts said the personal information of more than 2.3 million people was exposed by a cyberattack on its Snowflake environment, according to a data breach disclosure letter filed Wednesday with the Office of the Maine Attorney General.
- An attacker intruded Advance Auto Parts’ Snowflake environment on April 14 and maintained unauthorized access until May 24, the auto parts retailer said in the disclosure.
- The company first learned about the attack on May 23, according to SVP and CISO Ethan Steiger. “Like many other companies, an unauthorized third party gained access to certain information maintained by Advance Auto Parts within Snowflake, our cloud storage and data warehouse vendor,” Steiger wrote in the notice sent to people impacted by the breach.
Dive Insight:
At least 100 companies were impacted by a wave of attacks targeting Snowflake customer environments in April, but very few victim organizations have publicly linked the data cloud vendor to the attacks. Others may follow as more customers impacted by the breach come forward.
AT&T’s Snowflake environment was breached for 11 days in April, resulting in the theft of call and text message records on nearly 110 million customers, the company said in a Friday filing with the Securities and Exchange Commission.
Pure Storage, in mid-June, became the first Snowflake customer in a public forum to confirm it was impacted in the spree of identity-based attacks targeting Snowflake customer databases.
The breach of Advance Auto Parts’ Snowflake environment exposed personal information that was collected as part of the company’s job application process, the company said in the data breach disclosure letter. Compromised data potentially included names, Social Security numbers, driver’s license or other government issued ID numbers and dates of birth, the company said.
Advance Auto Parts completed its investigation into the data breach on June 10.
Snowflake and its incident response firms Mandiant and CrowdStrike maintain the attacks were not caused by a vulnerability or breach of Snowflake’s enterprise environment.
The financially-motivated attacker, UNC5537, used stolen credentials obtained from multiple infostealer malware infections to access Snowflake customer databases, Mandiant said last month in a threat intelligence report.