Incident Details
In September 2018, a former Cisco engineer used old AWS credentials to delete 456 virtual machines, impacting Cisco's WebEx Teams application and causing an outage estimated to cost over $2.4 million.
Incident
How Did the Breach Happen?
Former Cisco employee Sudhish Kasaba Ramesh used an access key for the WebEx Application, which was maintained on AWS servers, to deploy code from his Google Project account, leading to the deletion of 456 virtual machines.
What Data has been Compromised?
The attack resulted in the shutdown of over 16,000 WebEx Teams accounts, affecting video meetings, messaging, file sharing services. No explicit mention of personal data compromise is provided in the description.
Why Did the company's Security Measures Fail?
The security measures failed because Cisco did not disable Ramesh's AWS access upon his departure. The use of IAM Users instead of Federated Identities, issuance of IAM Access Keys, and lack of a Cloud Security Posture Management (CSPM) solution to deactivate unused access keys contributed to the breach.
What Immediate Impact Did the Breach Have on the company?
Cisco suffered significant financial losses, including $1 million in damages and an additional $1.4 million in customer refunds due to the two-week service downtime.
How could this have been prevented?
The breach could have been prevented by deactivating Ramesh's AWS credentials upon his departure, transitioning to Federated Identities, stopping the use of IAM Access Keys, and implementing a CSPM solution.
What have we learned from this data breach?
The importance of rigorous offboarding procedures to ensure that former employees no longer have access to company systems, the use of Federated Identity Management over IAM Users, and the need for proactive cloud security management practices.
Summary of Coverage
Cisco's significant data breach in September 2018 was caused by a former engineer who misused AWS credentials to delete virtual machines of the WebEx Teams application. The company's failure to deactivate the former employee's access and outdated access management practices led to a costly outage. Cisco did not press for compensation despite the financial hit.