OneLogin has admitted that it cannot guarantee the security of encrypted data compromised by a cybercriminal on Wednesday (May 31st).
The firm has confirmed that a review is currently underway to investigate the data breach, which affected its “US data region”.
Unauthorized access has since been blocked and the incident has been reported to the authorities, with independent security firms also on board to help identify the extent of the incident.
OneLogin found that the cybercriminal had obtained access to a set of AWS keys, and had used them to access the AWS API from an intermediate host with another, smaller service provider in the US.
Affected customers have already been informed, with the company claiming that the attacker was able to access database tables containing various pieces of sensitive information about users, apps and various types of keys.
While insisting that much of its most sensitive data was encrypted, the company admitted that it cannot guarantee that the cybercriminal has not managed to find a way to decrypt that data.
As a result, it has asked customers to remain vigilant, making several recommendations for action.
According to Bill Buchanan of Edinburgh Napier University, the incident has highlighted the risk of depending on cloud-based systems.
He told the BBC: "Increasingly they [companies] need to encrypt sensitive information before they put it within cloud systems, and watch that their encryption keys are not distributed to malicious agents.
"It is almost impossible to decrypt data that uses strong encryption, unless the encryption key has been generated from a simple password.”
The case once again highlights the importance of properly implementing an encryption solution, particularly for UK companies, which are still likely to remember the £150,000 fine dished out to insurance company Alliance and Leicester at the beginning of the year.
Whether OneLogin could have done more to protect their encrypted data is likely to become clearer in the next few weeks.