After a wave of attacks, Snowflake insists security burden rests with customers

Dive Brief:

Snowflake once again tried to distance itself from a wave of attacks that hit more than 100 Snowflake customer environments in April. The cloud-based data warehouse vendor said responsibility for security rests with its customers, not Snowflake.
“As extensively reported, the issue wasn’t on the Snowflake side,” CEO Sridhar Ramaswamy said Wednesday during the company’s earnings call for the quarter ending July 31. “After multiple investigations by internal and external cybersecurity experts, we found no evidence that our platform was breached or compromised. However, we understand that when it comes to cybersecurity, we are all in this together.”
The attacks had no impact on Snowflake from a consumption standpoint during the quarter, CFO Michael Scarpelli said during the call. And there’s no indication the attack spree on Snowflake customers impacted the company’s financial performance.

Dive Insight:

Snowflake’s response to the attacks on its customers, and the message it conveys on cloud security ownership, has been consistent and firm: responsibility lies with customers.

One reason Snowflake remains “slightly muted” about the attacks is because the company itself wasn’t directly impacted, Ramaswamy said during the call.

“The people that got breached, these are our customers, and we want to work closely with them to make sure that they get out of the difficult situation that they are in,” Ramaswamy said.

“There’s not really been any noticeable impact or delay in things like our ability to sign up new customers or get existing customers to deploy new projects,” he said. “We just need to be more proactive about having the security conversation, and we absolutely do that.”

Three months after the attacks hit customer environments without multifactor authentication turned on, Snowflake established a new policy in July to allow administrators to require MFA for all users or specific roles.

MFA is now enabled by default for all newly created customer accounts, but the security control remains optional for existing customers.

“This whole situation is unfortunately representative of a very messy cybersecurity market,” Katell Thielemann, VP distinguished analyst at Gartner, said via email.

“Too many CISOs think they can ‘buy’ security only to find out after the fact their cybersecurity vendors only sell tools and do not share their sense of security posture ownership,” Thielemann said.

Snowflake’s MFA policy reflects the challenges technology vendors confront in instituting sweeping changes to a widely used platform. The company employs a shared responsibility model where customers are solely responsible for creating and securing access credentials to the Snowflake platform.

The burst of attacks on Snowflake customers’ databases tested the cloud market’s shared responsibility status quo.

“Too many CISOs think they have signed up for a shared responsibility model when in fact they cannot abdicate security ownership to any vendor,” Thielemann said.

Having MFA built into services by design and on by default is a cornerstone of the Cybersecurity and Infrastructure Security Agency’s secure-by-design principles. Snowflake is one of nearly 200 companies that have signed CISA’s secure-by-design pledge and voluntarily committed to embrace secure development practices over the next year.

Snowflake’s revenue increased 29% year over year to nearly $869 million in its fiscal 2025 second quarter. The company reported no financial impact from the attacks on its customers, yet losses widened to almost $317 million, up from almost $227 million in the year-ago quarter.