← CIO Briefings · High Impact ACTION REQUIRED

Third-Party Analytics Tool Breach Exposes Snowflake Customer Data — SaaS Supply Chain Risk Materialises

The breach of Anodot, a business analytics integration platform, has resulted in data theft from over a dozen organisations that use Snowflake cloud data warehouses. Attackers stole authentication credentials held by Anodot and used them to access customer data directly — a supply chain attack that bypassed the victim organisations' own security controls entirely.

4 min read
#GDPR#NIS2#DORA#ISO-27001

What Happened

Anodot, an AI-powered analytics platform used by many organisations to monitor business performance metrics from their Snowflake cloud data warehouses, suffered a security breach. Attackers — identified as the ShinyHunters group — obtained authentication credentials that Anodot held to access its customers’ Snowflake environments. Those credentials were then used to directly access and steal data from over a dozen victim organisations.

The victims did not experience any breach of their own systems. Their perimeter defences, endpoint controls, and internal monitoring were not circumvented. The attack succeeded entirely because a third-party tool they trusted with access to their data was itself compromised. This is what security professionals call a fourth-party risk incident: you were not attacked directly, and neither was your primary supplier — the attack came through your supplier’s supplier.

Snowflake confirmed the incident, describing it as affecting “a small number of customers” through a third-party issue.

Business Impact

Data exposure without a direct breach. Every organisation that granted Anodot access to their Snowflake environment is a potential victim. The data Anodot could access is the data the attackers could steal — which typically includes revenue figures, transaction volumes, customer counts, and operational metrics depending on what was integrated.

No warning. Organisations monitoring their own network perimeters, user access logs, and endpoint detection tools would not have seen this attack. The access appeared to originate from Anodot — a trusted source — using legitimate credentials.

Third-party inventory gap exposed. Many organisations cannot immediately answer “which third-party platforms hold credentials to our cloud data infrastructure?” This incident demonstrates that not knowing the answer is a material risk.

Regulatory exposure. If the stolen data includes personal data of customers or employees, GDPR breach notification obligations may be triggered — even though the organisation’s own systems were not directly compromised.

Regulatory Implications

GDPR: Data controllers remain responsible for personal data processed on their behalf even when breached through a third-party processor. If Snowflake environments contained personal data and Anodot held access, the controller must assess notification obligations under Articles 33 and 34 within 72 hours of becoming aware.

NIS2: Supply chain security obligations require essential and important entities to assess the security practices of suppliers. This incident illustrates the consequence of insufficient supplier security assessment for SaaS integration tools.

DORA: Financial entities must manage ICT third-party risk across the full supply chain, including sub-processors. Authentication tokens held by analytics integrators that access core data infrastructure are within DORA’s ICT third-party risk scope.

Board-Ready Summary

  • A business analytics tool used to monitor performance data from cloud systems was breached, and attackers used the tool’s access credentials to steal data directly from customer environments — all without touching those customers’ own systems.
  • This attack is a warning about an undermanaged risk category: third-party SaaS tools that hold persistent access to your data infrastructure are an attack surface that your own security controls cannot monitor or protect.
  • Organisations using Snowflake should immediately audit which third-party platforms hold active credentials and apply least-privilege access controls to limit what each integration can access.
  1. Audit all third-party integrations with access to cloud data infrastructure within 48 hours. Produce a list of every SaaS platform that holds credentials to Snowflake, AWS S3, Azure Data Lake, or equivalent. If you cannot produce this list, that is itself the finding.
  2. Rotate credentials for any integration platform that cannot confirm it is unaffected. If you use Anodot or any similar SaaS analytics integration, treat those credentials as potentially compromised and issue new ones.
  3. Apply the principle of least privilege to integration credentials. Each integration should hold read-only access to only the data schemas it needs — not warehouse-level or account-level access.
  4. Assess GDPR notification obligations. If personal data was accessible in the compromised Snowflake environments, your Data Protection Officer should assess whether the 72-hour notification clock has started. The fact that the breach occurred through a third party does not exempt you from notification.
  5. Add SaaS integration platforms to your third-party risk review programme. Any tool that holds persistent credentials to your data infrastructure should be subject to annual security review, including SOC 2 Type II certification verification and credential scope audits.