its not Snowflake's fault their customers used weak passwords and no MFA. Not enforcing MFA does merit some blame on Snowflake, however, I still think its on the customer to secure your own environment.
I feel like this would be true if ONE customer was hacked. At this point it's more than a handful. AND snowflake knew about it.
If all the lockboxes in a bank get broken into, is it respectable to say "ah all of the customers should have used better locks"? The bank is the party who is supposed to be giving the insight into secure storage. They're not just renting space.
Totally, way too many people are trying to blame snowflake.
ATT is a technology infrastructure company. Secure transmission of data is one of their core business competencies (theoretically). They are a corporation that we trust to handle incredibly sensitive info. Call records are, in fact, incredibly sensitive data.
They should be telling Snowflake what best practices to be using, not the other way around!
AT&T and phone carriers in general are not technology companies. They are infrastructure companies that purchase off-the-shelf communication technology, slap a billing system on top, and then spend most of their time on operations (finding places to put towers, keeping the gear up and running) and marketing. The security component of communications isn't built by them, but by the equipment manufacturers that they purchase from. There are no strong penalties for involuntary data leaks - why would they do more?
ATT has a rich history of being a technology company. They invented UNIX! That's in the past, fair enough.
So they used to develop cutting edge technology, they sell technology, they buy technology, they operate technology, they work with manufacturers to develop new technology, they operate the infrastructure underpinning the modern technology economy, but they aren't a technology company?
Even if you want to argue that they aren't a technology company, they sure spend enough time doing everything a technology company does to hold them accountable for their technology failures.
They also invented the transistor, C, the photovoltaic cell, radio astronomy, and … the telephone. ;)
Yes that’s the past, but AT&T labs still employs almost two thousand people. It’s very funny to try to claim AT&T isn’t a technology company and only peddles services on top of equipment made by others.
The company called AT&T now and the company called AT&T that invented Unix have really nothing in common but a thin stretch of history by now. The technology development units of AT&T were split off into Lucent a long time ago.
Calling AT&T a tech company because they operate technological infrastructure is like calling Spirit Airlines an aerospace technology company because they operate jet airplanes.
> The security component of communications isn’t built by them
Are you claiming AT&T outsourced security and have contracts to back that up? Buying security equipment surely doesn’t amount to having security, that would be hilariously naïve. Equipment manufactures are not responsible for AT&T’s data security, AT&T is. There are laws around security that can hold AT&T liable, in the US and Europe and elsewhere. Whether they will hold the company liable is another question, but these laws will not accept an excuse that AT&T purchased security equipment from another company.
I claim that these companies do not have a particularly high amount of in-house infosec know-how and outsource a lot of it, not necessarily just in terms of buying equipment, but also the service component of how to set up business practices in a secure way. It doesn't absolve them of their failures but I'm no less surprised in AT&T failing to protect data than I would be McDonald's.
It’s unclear what you’re arguing. That AT&T isn’t capable of securing customer data, and we shouldn’t expect that of them? That they shouldn’t be held liable?
If they don’t have the core competency, they need to obtain it as a requirement of doing business.
AT&T is a real-estate company that coincidentally sells telecommunications services. My wife used to work for them and given what she's told me I would never in a million years do any business with them intentionally.
Snowflake is saying they knew of unusual activity "around mid-April 2024", confirmed "May 23, 2024", around which time they made MFA mandatory (although their customer AT&T say they knew of the breach "Mar 20"; these timelines keep shifting back):
> "US cloud storage firm Snowflake has already required the implementation of multi-factor authentication across all user accounts a month following the widespread breach of customer accounts, including those of Ticketmaster and Santander Bank, reports The Register."
"Mandatory MFA option unveiled by Snowflake" sounds like they made it an option for an organization to decide to make MFA mandatory within that organization. But that conflicts with TheRegister headline - Snowflake's PR machine seems to be in overdrive.
