News: 1720703707

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Advance Auto Parts: 2.3M people's data accessed when crims broke into our Snowflake account

(2024/07/11)


Advance Auto Parts' CISO just revealed for the first time the number of individuals affected when criminals broke into its Snowflake instance – a hefty 2.3 million.

Ethan Steiger notified Maine's Attorney General on [1]Wednesday of the extent of the damage – numbering this at 2,316,591 exactly – and the letter sent to victims confirms that the data potentially stolen includes names, dates of birth, social security numbers, and driver's license or other ID document numbers.

Steiger's letter also said Advance Auto Parts became aware of the intrusion on May 23, but now understands that the cybercriminal(s) behind the attack maintained access to its Snowflake instance between April 14 and May 24.

[2]

Two letter templates were included in the [3]notification to Maine's AG – one for the 13,858 Maine residents affected by the attack and another which appears to be a general template designed for victims residing in other states.

[4]

[5]

The general version mentioned that the data accessed by the criminals was gathered and stored as part of the company's job application process, however, the Maine letter made no mention of this.

"On May 23, 2024, we learned that, like many other companies, an unauthorized third party gained access to certain information maintained by Advance Auto Parts within Snowflake, our cloud storage and data warehousing vendor," the letter reads. "We began an investigation to determine the nature and scope of the incident with the support of third-party experts and took measures to contain the incident and terminate the unauthorized access.

[6]

"Upon learning of the incident, we promptly terminated the unauthorized access and took proactive measures aimed at preventing future unauthorized access. We also notified law enforcement," it added.

"In addition, we continue to work with third-party cybersecurity experts to take steps to further harden our systems and emerge from this incident an even more secure organization."

This week's notification is the first time Advance Auto Parts has officially admitted it was one of the major companies caught up in the large rash of Snowflake break-ins, joining the likes of Ticketmaster and Santander, whose storage was also broken into.

[7]

The aftermarket auto parts dealer has been quiet about the incident on social media, its website's press corner, and hasn't before confirmed that it was a victim, let alone the scale of the data accessed.

What are the criminals saying?

The individual or group behind the attack uses the online alias Sp1d3r and previously put Advance's data up for sale on a cybercrime forum, asking for $1.5 million as a payment.

It seems Sp1d3r has done the usual cybercriminal trick of overinflating the figures in its advertisement of the data, though. Its forum post claims 380 million customer profiles were stolen which included names, email and home addresses, phone numbers, and more.

Sp1d3r alleged that among the 3 TB worth of data it stole were part numbers, SSNs, ID document numbers, demographic details, transaction details, loyalty and gas card numbers, and information about 358,000 staff.

The letters penned by CISO Ethan Steiger now suggest the scale was much smaller at just 2.3 million affected individuals, and the rest of the data types allegedly stolen to be bogus claims.

Snowflake latest

Advance Auto Parts' confirmation comes a day after Snowflake [8]announced new policies available to storage admins that allow multifactor authentication (MFA) to be applied across entire organizations.

[9]Snowflake lets admins make MFA mandatory across all user accounts

[10]Fiend touts stolen Neiman Marcus customer info for $150K

[11]Snowflake data leaks snowball as more victims, perps, come forward

[12]Live Nation CFO on Taylor Swift ticket chaos: Don't blame me, bots made me crazy

Having consistently denied any suggestions that a break-in at Snowflake towers was to blame for the spate of data protection gaffes at its customers, the new measure aims to address the issue said to be at the heart of the incidents – that customers [13]weren't enabling MFA where they perhaps should have been.

The announcement also suggested that it would make MFA mandatory across all human user accounts in the near future, but for now, it's just giving admins the opportunity to apply it organization-wide if they want to (they should). By default, MFA is still not enabled on Snowflake accounts and prior to this move, it had to be enabled on a per-user basis.

Ticketmaster is the other big name still embroiled in the Snowflake saga; it was also [14]one of the first companies suggested to be affected.

The ticketing giant is still [15]reportedly being extorted for $2 million by digi-rascals as part of an ongoing campaign that has recently seen 166,000 Taylor Swift tour ticket barcodes allegedly leaked on a cybercrime forum.

The Register asked Ticketmaster for a statement but it didn't immediately respond. ®

Get our [16]Tech Resources



[1] https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/9a6279ea-12a4-47c8-855e-9ce509f5a2b2.html

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZpABo5kH@veyFgedFP@0hAAAAM4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/9a6279ea-12a4-47c8-855e-9ce509f5a2b2.html

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZpABo5kH@veyFgedFP@0hAAAAM4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZpABo5kH@veyFgedFP@0hAAAAM4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZpABo5kH@veyFgedFP@0hAAAAM4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZpABo5kH@veyFgedFP@0hAAAAM4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2024/07/10/snowflake_mandatory_mfa/

[9] https://www.theregister.com/2024/07/10/snowflake_mandatory_mfa/

[10] https://www.theregister.com/2024/06/25/neiman_marcus_snowflake_victim/

[11] https://www.theregister.com/2024/06/24/snowflake_breach_accelerating_into_snowball/

[12] https://www.theregister.com/2023/01/24/taylor_swift_bots_blamed/

[13] https://www.theregister.com/2024/06/11/crims_targeting_snowflake_customers/

[14] https://www.theregister.com/2024/05/29/breachforums_ticketmaster_data/

[15] https://www.linkedin.com/pulse/taylor-swift-eras-tour-tickets-leaked-shinyhunters-shahrukh-reza-yahqf/

[16] https://whitepapers.theregister.com/



WHY, in deity's name does an autoparts store require

picturethis

"dates of birth, social security numbers, and driver's license or other ID document numbers"

to purchase parts for an automobile?

It bothers me to no end that there are 2.3M people morons that have given this information to some corporation for this purpose.

Does anyone question anything anymore - especially when being asked for this information?

That company's CEO and CIO should be sued out of existence and banned from ever being able to be in those positions again and the company should be fined into bankruptcy. Maybe that would give other companies that ask for this information pause.

This is the exact reason that I will never do business with Best Buy - because of the demand for my driver's license so that they can check against their DB for fraudulent returns. FU Best Buy..

I am seeing red right now and I can't respond any further...

Re: WHY, in deity's name does an autoparts store require

FILE_ID.DIZ

Well, it was explained elsewhere in the article, "The general version mentioned that the data accessed by the criminals was gathered and stored as part of the company's job application process..."

So, yes - the collection of SSN numbers would be part of a job application's data acquisition task.

And because their employees may do deliveries to local repair shops, storing drivers license data also makes sense.

The fact that they stored many multiples of people's data than they currently employ is possibly concerning. But I don't know record retention laws or regulations may require post-separation, both with respect to IRS (SSN) or any traffic-related civil or criminal suits (DL) and I don't know what their employee turn-over rate is. I mean, if they hire and separate from 20K people every three months, having a few million over the course of several years seems reasonable.

But - most likely, this company simply didn't know the breadth of all the data that they were storing.

You also bring up a good point with respect to returns and drivers licenses - I don't know about Best Buy specifically, but I know that there are third-party companies that do provide such fraud checks. Whether or not that data is domiciled with Best Buy or with that third-party entity, couldn't tell you.

You can always refuse to have them scan in your drivers license. Just say you don't have one. Purchasing from their store wasn't conditioned on having one, returning can't either. (FYI, IANAL, YMMV.) Or just return it online - no DL needed that way.

LILO, you've got me on my knees!
(from David Black, dblack@pilot.njin.net, with apologies to Derek and the
Dominos, and Werner Almsberger)