In 2024, attackers compromised approximately 165 Snowflake customer organisations through stolen credentials and missing MFA — exposing hundreds of millions of records including AT&T 109M call records, Ticketmaster 560M, Santander, Lending Tree, and more. The July 2024 CrowdStrike Falcon incident cost Delta USD 550 million. The 2023 Okta breach cascaded into Cloudflare, BeyondTrust, and 1Password. PULSE engineers SaaS infrastructure in which customer-data aggregation does not exist in a form that vendor-side compromise can extract.
The technology and SaaS threat landscape is defined by a structural reality the rest of the economy is still adapting to: the software companies that build the technology infrastructure of every other industry are themselves the infrastructure-supply-chain attack surface for those industries. A breach of a single SaaS provider — Snowflake, Okta, MOVEit, SolarWinds, CrowdStrike — produces consequence across hundreds or thousands of unaffiliated commercial customers within hours. The 2020 SolarWinds Sunburst campaign established the template; subsequent variants have refined the execution.
The 2024 Snowflake campaign is the canonical recent illustration. Cyber criminals associated with the threat group ShinyHunters (tracked by Mandiant as UNC5537) targeted approximately 165 Snowflake customer accounts using stolen credentials harvested from infostealer malware infections dating back as far as 2020. Over 80% of compromised accounts had prior credential exposure. Affected accounts lacked multi-factor authentication — successful authentication required only username and password. Snowflake itself was not compromised; the customer-side configurations were. The campaign affected hundreds of millions of individuals across at least nine publicly named victims: AT&T (109M call and text records), Ticketmaster (560M), Santander Bank, Lending Tree (190M+), Advance Auto Parts (2.3M), Pure Storage, LA Unified, Truist Bank, and others. [01]
The 2024 incident calendar extends well beyond Snowflake. The July 2024 CrowdStrike Falcon update incident — a faulty content-configuration update pushed to Windows endpoints running CrowdStrike Falcon — caused approximately 8.5 million Microsoft Windows computers to fail globally. Delta Air Lines alone incurred USD 550 million in cost. Hospitals cancelled surgeries. Banks went offline. Airlines reverted to handwritten boarding passes. The incident was not a cyberattack — but it demonstrated the cybersecurity-equivalent fragility of every industry that depends on a small number of widely deployed software platforms. [02]
The earlier examples remain instructive. The 2023 Okta breach of customer support case management compromised credentials of approximately 134 customers including Cloudflare, where attackers used the credentials to access Cloudflare's Atlassian platforms (Bitbucket, Confluence, Jira) and reach source code. The 2023 Cl0p / MOVEit campaign exploited a single zero-day vulnerability in Progress Software's file-transfer product to compromise hundreds of organisations across financial services, healthcare, education, and government sectors. The 2020 SolarWinds Sunburst campaign — attributed to Russia's SVR / APT29 — affected US federal agencies and Fortune 500 companies through trojanised software updates pushed via trusted vendor channels.
The same vectors recur: stolen credentials and missing MFA, misconfigured customer-side SaaS deployments, compromised software supply chains delivering trojanised updates, and exploitation of trusted-vendor remote-access channels.
The 2024 Snowflake campaign exemplifies: stolen credentials (some dating back to 2020 infostealer infections) used against customer accounts that lacked MFA. AT&T, Ticketmaster, Santander were affected. Snowflake mandated MFA for new human users from October 2024 in response. The pattern affects every multi-tenant SaaS platform.
The 2020 SolarWinds Sunburst campaign (Russia SVR / APT29) and the 2023 Cl0p / MOVEit campaign established the template: trojanised software updates or zero-day vulnerabilities in widely deployed software propagate to thousands of victims through trusted vendor channels. The 2024 ShinyHunters / Snowflake campaign and the 2024 SaaS-integrator-driven Snowflake follow-on demonstrate the continuing pattern.
The 2023 Okta breach cascaded into Cloudflare, BeyondTrust, 1Password, and other Okta customers. Vendor-channel compromise represents an asymmetric threat: the vendor has privileged access to thousands of customers, and the vendor's cybersecurity posture is the floor for every customer's exposure to vendor-channel-mediated attack.
The July 2024 CrowdStrike Falcon update incident demonstrated that catastrophic supply-chain consequence does not require malicious intent — a faulty configuration update pushed by a trusted vendor to widely deployed endpoint software produced global outage. Estimated direct impact across industries reached billions of dollars.
The US SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule (effective December 2023) imposes a four-business-day disclosure obligation on public-registrant tech companies for material cybersecurity incidents. The 2024 wave of SEC Form 8-K Item 1.05 filings — by Snowflake-affected customers, by AT&T, by Halliburton, by Schneider Electric — demonstrates the regulatory consequence in operation.
The EU Cyber Resilience Act (CRA, Regulation (EU) 2024/2847) — adopted October 2024 — imposes cybersecurity baseline requirements on products with digital elements placed on the EU market, including substantial portions of the SaaS and software-products ecosystem. The CRA establishes specific obligations for vulnerability handling, security updates throughout product lifecycle, and incident reporting.
The EU NIS2 Directive (effective 18 October 2024) brings digital infrastructure (DNS, TLD registries, cloud computing services, content delivery networks, online marketplaces, online search engines, social-networking services) within "essential entity" or "important entity" cybersecurity-governance and incident-reporting obligations. The Cybersecurity Maturity Model Certification (CMMC) program in the US imposes graduated cybersecurity requirements on technology vendors handling Federal Contract Information and Controlled Unclassified Information for the Department of Defense.
The CISA Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) — when its final rule takes effect — will impose 72-hour reporting obligations on covered entities including covered information-technology and software vendors.
Technology and SaaS cybersecurity is the only domain where one company's breach becomes a thousand companies' breach in a single hop, and a million customers' breach in two.
The defining structural exposure of technology and SaaS cybersecurity is multi-tenant aggregation. SaaS platforms exist precisely because they aggregate customer data across thousands of organisations into shared computational infrastructure — that is what makes the SaaS economic model work. The 2024 Snowflake campaign exposed hundreds of millions of records through compromise of approximately 165 customer accounts because the data of those 165 customers was held in aggregable form on the shared platform.
A SaaS provider running PULSE substrate does not aggregate customer data into vendor-side recoverable corpora. Customer A's data is held in a form that is accessible to Customer A for the operations Customer A authorises and to no other party — including the SaaS provider itself, including the cloud-platform operator, including any subsequent compromise of any infrastructure component. The SaaS economic model is preserved; the aggregation that drove the consequence of the 2024 Snowflake campaign is architecturally absent.
For software-supply-chain integrity, the same architectural commitment applies. Software updates and configuration changes are anchored cryptographically against tampering at the level of substrate trust, not at the level of vendor-controlled signing certificates. The CrowdStrike-class configuration-failure event is bounded by substrate-level constraints that prevent vendor-side action from producing customer-side consequence. The means is the trade secret. We disclose it under executed Mutual Non-Disclosure Agreement only.
Architectural-fit assessment for SaaS provider, PaaS provider, software vendor, identity-and-access-management vendor, endpoint-security vendor, and software-supply-chain scenarios. Quantified multi-tenant data-aggregation residual-disclosure model under PULSE substrate. Cross-jurisdictional regulatory alignment matrix (SEC Cybersecurity Disclosure Rule / EU CRA / EU NIS2 / EU DORA for FinTech / CMMC / Australia SOCI / Singapore CSA Code of Practice). Reference architecture for multi-tenant data substrate, software-update delivery, and customer-isolation substrate.
Available under executed NDA →All statistics on this page are drawn from publicly available reports issued by recognised industry bodies, regulators, and security research organisations. References are listed below for verification.
PULSE Digital Security cites these sources for context only. Citation does not imply endorsement of, or affiliation with, any cited organisation. All trademarks remain the property of their respective owners.