OneLogin
has admitted that it cannot guarantee the security of encrypted data
compromised by a cybercriminal on Wednesday (May 31st).
The firm has confirmed that a review is currently underway to investigate
the data breach, which affected its “US data region”.
Unauthorized access has since been blocked and the
incident has been reported to the authorities, with independent security firms
also on board to help identify the extent of the incident.
OneLogin found that the cybercriminal had obtained
access to a set of AWS keys, and had used them to access the AWS API from an
intermediate host with another, smaller service provider in the US.
Affected customers have already been informed, with
the company claiming that the attacker was able to access database tables
containing various pieces of sensitive information about users, apps and
various types of keys.
While insisting that much of its most sensitive
data was encrypted, the company admitted that it cnn not guarantee that the
cybercriminal has not managed to find a way to decrypt that data.
As a result, it has asked customers to remain
vigilant, making several recommendations for action.
According to Bill Buchanan of Edinburgh Napier
University, the incident has highlighted the risk of depending on cloud-based
systems.
He told the BBC:
“Increasingly they [companies] need to encrypt sensitive information before
they put it within cloud systems, and watch that their encryption keys are not
distributed to malicious agents.
“It is almost impossible to decrypt data that uses
strong encryption, unless the encryption key has been generated from a simple
password.”
The case once again highlights the importance of
properly implementing an encryption solution, particularly for UK companies,
which are still likely to remember the £150,000 fine dished out to insurance company Alliance and Leicester
at the beginning of the year.
Whether OneLogin could have done more to protect
their encrypted data is likely to become clearer in the next few weeks.