Six Degrees of Identity Security Issues

It’s no secret that security breaches are on the rise. You’ve likely heard statistics about the record number of breaches that occurred in 2023. They’re also getting costlier: The global average cost of a data breach last year was a staggering $4.45 million. 

What you might not hear is that identity management issues are the root cause of many security breaches. In fact, 75% of security incidents were caused by bad actors taking advantage of human errors, specifically errors related to access privileges and identity mismanagement. 

Identity management issues can manifest and open the door to attacks in many different ways. Sometimes, it’s very straightforward — as is the case when ex-employees or contractors use unrevoked credentials for malicious intent well after the company should have severed their access to corporate systems and networks. Other times, there are multiple layers at play. When a hacker breaches a system because a company hasn’t enabled or enforced multi-factor authentication (MFA), for example, a few different things can happen. If the company has solid least privilege practices in place, it could stop a hacker in their tracks with minimal damage. If MFA and least privilege protocols aren’t enforced, the hacker could move laterally and access sensitive information layers away from their initial entry point. In this case, identity mismanagement can allow a simple and commonplace phishing attempt to morph into a massive incident.  

These types of identity management missteps have led to headline-grabbing incidents affecting some of the world's best-known companies. But it’s not because those companies are careless or don’t care about security. It’s simply because identity security is extremely hard to manage at scale with legacy tools and systems. We need a better approach that makes it easier for organizations to manage access controls, and continuously monitor for (and remediate!) issues that slip through the cracks.

Let’s examine some real-world examples and discuss how these types of incidents can be prevented in the future. 

‍

Cash App

In 2022, a disgruntled former employee of Cash App downloaded and shared personal information about 8.2 million users. This breach represents an identity security failure on multiple levels. First, the ex-employee was able to gain access to Cash App’s systems because the company failed to revoke their access permissions upon termination.

Additionally, Cash App failed to conduct regular user access reviews (UARs). If this best practice had been followed, it likely would have alerted the company to the issue before the ex-employee capitalized on Cash App’s misstep. This incident highlights the importance of strong security protocols upon employee termination and the need for continuous monitoring efforts — beyond point-in-time UARs — to catch potential risks before they lead to a real problem. 

‍

Change Healthcare

In February 2024, a cyberattack knocked Change Healthcare — a subsidiary of the global health company UnitedHealth — offline. Operations came to a halt, leading to a backlog of unpaid medical claims and strapping doctors’ offices and hospitals with serious cashflow problems. 

As a result of the attack, millions of Americans' sensitive health data was also leaked onto the dark web. The cause? UnitedHealth wasn’t using MFA to secure critical systems. Though MFA is standard across UnitedHealth, it wasn’t yet implemented across Change Healthcare systems after UnitedHealth acquired the company in 2022. 

The lack of MFA wasn’t the only issue here, either. The hacker caused a massive amount of damage because, once inside, they could easily move laterally through Change Healthcare’s systems—thanks to elevated privileges, which allowed them to unlock doors and roam about. With tighter enforcement of least privilege protocols, Change Healthcare could have limited the hacker's movements.

‍

Circle CI

Circle CI suffered a data breach in 2023. In this instance, though MFA was enabled, a bad actor was still able to breach the system through malware deployed on a Circle CI engineer’s laptop. From there, the hacker impersonated the hacked employee and escalated their own access to production systems. 

This is a classic case of over-privileging gone wrong and illustrates the need to implement continuous monitoring to track and approve privilege escalations in real-time — and a threat monitoring system to catch suspicious activity. JIT protocols would also make an impact in a situation like this. Some employees need the ability to generate production access tokens, but if that permission is always-on (versus provided when requested), it's more likely to be exploited. 

As a result of the breach, Circle CI instituted a number of new security measures, including restricting production environment access to “a very limited number” of employees, as well as implementing additional authentication steps and controls.  

‍

Deloitte

In 2017, hackers breached Deloitte's global email server via an administrator account that had unrestricted access to Deloitte’s entire network (and also wasn’t protected via MFA). This incident highlights the critical risks associated with administrator privileges. If too many people have unrestricted access to your network, hackers have more opportunities to do significant damage if they breach those credentials. 

As a best practice, follow least privilege protocols and only grant access to users who need certain systems or assets to complete the duties of their job. When you do grant access, follow JIT or time-bound procedures to limit the duration in which people have access — and, therefore, the duration of time that bad actors could take advantage of that access.

‍

Lyft and Uber

Two separate but similar incidents at ride-sharing services Lyft and Uber highlight how identity security issues can invite insider threats and damage a brand’s reputation. Both incidents involve employees tracking riders’ whereabouts via internal systems strictly for personal interest (significant others and celebrities, for instance) instead of as a necessity to complete an action within their job duties. 

While the information wasn’t ultimately used in a malicious way, these incidents were a significant breach of customer trust that led to reputational damage for both companies. Again, these incidents are a reminder to limit access to sensitive data and information to only those who need it when they need it. External threats are not the only ones to worry about. 

‍

Microsoft

In early 2024, a group known as Midnight Blizzard breached Microsoft by compromising test cloud identities that lacked MFA. Once inside, they leveraged this access to compromise legacy OAuth applications within Microsoft's Azure Entra environment and then escalated their privileges to move laterally into Microsoft's corporate environment. 

The hackers managed to gain access to various email accounts, including those of senior leadership and cybersecurity personnel. By enforcing strong authentication protocols and least privilege access to prevent lateral movement, Microsoft could have thwarted Midnight Blizzard before the group was able to infiltrate as many emails and systems as they ultimately did.

Snowflake

In early 2024, hackers targeted Snowflake customers using stolen login credentials to penetrate accounts that didn’t enforce MFA. This incident was labeled one of the biggest data breaches of all time, as hackers were able to access data from massive Snowflake customers like Ticketmaster, Santander, and AT&T. Millions of people were impacted by the AT&T breach alone, with their personal information leaked to the dark web. 

As a result of the attacks, Snowflake implemented new security protocols that allow account administrators to require MFA for all users or specific roles. According to Snowflake’s CISO, MFA will also be enabled by default for all newly created Snowflake customer accounts.

The attacks on Snowflake customers underscore the importance of strict security measures for third-party software providers. They also remind us to follow least privilege best practices to limit the impact of successful phishing attempts.

‍

Get to the Root of the Issue: Enforce Identity Security

Though it may not always be obvious at first glance, many security breaches can be traced back to identity management issues. Identity security is difficult to manage and, despite their best efforts, even the largest and most resource-rich companies face challenges.  

A stronger identity security function can prevent malicious actions from disgruntled ex-employees, insider threats, lateral movement, and more. Following least privilege protocols and continuously monitoring for identity management-related risks will help any organization prevent breaches and ensure business continuity. 

‍

Want to protect your organization from suffering the same fate as the companies mentioned above? Opal’s identity security platform offers the unique ability to identify, prioritize and mitigate identity risks in your environment, helping you achieve and maintain a least privilege security posture.   You can watch a demo of the solution here.