A Bozeman-based technology company is at the center of a class-action lawsuit, a Congressional investigation and a massive data breach that could affect more than a half billion customers.
Snowflake, Inc., is a cloud-based data hosting company used by some of the biggest and most recognized companies in America and abroad. Those companies, including Ticketmaster, AT&T and Advanced Auto Parts, have housed customers’ personally identifying information with Snowflake, but according to the class-action lawsuit filed in federal court in Butte, the company didn’t take measures to secure the data, which may have been compromised as early as 2020 through June 2024.
According to court documents, Snowflake has about 20% of the web hosting market share globally. Its headquarters are in Bozeman, but it has divisions scattered throughout the world.
Even as late as last month, hackers and cybercriminals were offering to sell thousands of “print-at-home” tickets to upcoming Taylor Swift concerts unless Ticketmaster paid an extortion ransom.
A Snowflake spokesperson said the company does not comment on active litigation.
In the 50-page class action complaint, Billings-based attorney John Heenan told federal court Judge Brian Morris that millions of people’s personal data, including credit card information, home addresses and tax information could be used to fraudulently create new identities, which could lead to loans and purchases that won’t be discovered until long after the money disappears. Moreover, once the private data has been extracted, it can be sold and resold over on the dark web, leading to an almost never-ending cycle of cybercrime and victimization for those targeted by identity fraud.
The lawsuit also claims that Snowflake didn’t even take some of the most basic steps to ensure the data was kept safe. For example, the suit claims the company didn’t require multi-factor authentication for users and didn’t monitor large data downloads on its networks. Furthermore, the suit claims that even after some of the data breaches were discovered, the company didn’t require users to change their passwords. All of those measures, the lawsuits claim, are standard practices for companies specializing in data storage.
The lawsuit also said that Snowflake has nearly 10,000 customers, including Anheuser-Busch, Mitsubishi, Neiman Marcus, Progressive, State Farm, and PepsiCo.
“Snowflake could also have better monitored its systems to detect unusual activity or activity associated with unauthorized access, including by implementing IP filters and limiting access to its network environment to only necessary users,” the lawsuit claims.
The suit claims that Snowflake had a number of sensitive and personally identifying records, for example, Social Security numbers, names, email addresses, driver’s licenses, date of birth and payroll data.
“Soon after they exfiltrated the personally-identifying information from Snowflake’s platform, the threat actors attempted to extort payments from Snowflake’s clients and began publishing samples of the stolen consumer (information) on dark web marketplaces for sale to identity thieves and fraudsters,” the lawsuit said.
Sometimes, the dark web marketplace data included large batches like 1 million Ticketmaster customer records released on June 21.
“(Snowflake) disregarded the rights of the plaintiffs and class members by intentionally, willfully, recklessly, and/or negligently failing to implement reasonable measures to safeguard personally-identifiable information from unauthorized access and by failing to take necessary steps to prevent unauthorized disclosure of that information,” the lawsuit said. “(Snowflake’s) woefully inadequate data security measures made the data breach a foreseeable, and even likely, consequence of its actions and omissions.”
Even more, though, the lawsuit claims that after the data breach was made public, Snowflake offered false hope that the information had been recovered and destroyed.
“Even where companies pay for the return of data, attackers often leak or sell the data regardless because there is no way to verify copies of the data are destroyed,” the class-action lawsuit said.
For example, hackers offered to sell 3 terabytes of data stolen from Advance Auto Parts for $1.5 million. That information included 380 million customer profiles, 140 million customer orders, and information on all employment candidates as well as personal information on 358,000 employees.
Experts warn that while not all the data that was stolen could be used to hurt customers, it could be paired with data hacked, stolen, or publicly available to create fuller profiles of individuals, which then can be packaged for sale to other criminals. That information, often call a “Fullz package” can be sold at a higher price, and sold repeatedly.
The lawsuit alleges four civil counts against Snowflake, including negligence, breach of contract, unjust enrichment.
Senate investigation
On Tuesday, U.S. Sen. Richard Blumenthal, D-Connecticut, the chairman of the United States Senate Subcommittee on Privacy, Technology and the Law, along with ranking member Sen. Josh Hawley, R-Missouri, demanded information on the series of data breaches.
One of the particular areas of concern for the Senate focuses on the Ticketmaster and Taylor Swift concerts, but also a data breach of communications giant AT&T.
“Most recently, on July 12, AT&T announced that six months of customer data hosted on its Snowflake services were illicitly accessed, including phone call and text message records — information that can easily provide cybercriminals, spies and stalkers a logbook of communications and activities of AT&T customers,” the letter from the Senators said.
The letter also chastises Snowflake because it said that the public is likely unaware of the full extent of the reach.
“The recent AT&T disclosure — three months after the breach and following other announced breaches — raises concerns that we still do not know the full scope or impact of the campaign targeting Snowflake customers. Based on its assessment of stolen Snowflake passwords, Mandiant (a cybersecurity firm) reported that 160 other organizations could have been targeted in the hacking campaign,” the letter stated.
The Senate subcommittee is demanding a detailed accounting report and timeline for all Snowflake data breaches, and the company’s response and investigation into the matter. The Senate also wants more information about what communication and steps Snowflake has taken to provide support to those whose data was breached.
“Given that multiple accounts containing a significant amount of data were illicitly accessed, why did Snowflake not detect the breaches in time to prevent the theft of customer data?” the letter asks.