In Focus Resource Center > Insights

Tales from the Dark Web: A Real-Life Example of Cloud-Based Exposure

While storing data in the cloud or using cloud-based applications can be efficient and effective for both individuals and businesses, users should remain vigilant and ensure that the cloud itself is safe from potential cyberattacks. We frequently emphasize the importance of obtaining the cloud provider’s SOC (Service Organization Control) report to our clients. The SOC report will typically include a section titled “Complementary End User Controls,” which are controls that the user is required to have in place to ensure the cloud provider’s security is effective. Below is a brief case study of how a user control issue could put the data housed by the cloud provider at risk.


Background: A company used a cloud-based solution for its online backup, so all backups were eventually stored in the cloud. The cloud provider had a SOC report which included Complementary End User Controls, ensuring proper logical access controls. The user’s outside IT provider had administrative access to both the user’s local network and its cloud-based backup. The IT provider used the same username and password for both network access and cloud-based applications.

Scenario: A hacker successfully conducted a spear phishing attack on a member of the user organization and gained access to the network. Using several tools, the hacker was able to obtain all usernames and passwords for the network, including the admin user credentials. The hacker spent months discretely searching for valuable files on the user’s network and exported those files every night. After several months of not finding much in terms of value, the hacker decided to take down the user network and delete all data. In the months of scouring the user network, they also learned about the user’s cloud backup solution.

Typically, this would not pose an issue because the cloud provider’s event logging would detect infiltration attempts to its defenses. However, in this case, the hacker tried the administrator username and password it was using to infiltrate the network and successfully gained admin access to the cloud-based backups. The hacker was able to delete all backups and restore points in the backup application. The hacker then completely took down the user network.

Result: The user company came in the next morning and discovered that they were unable to access the network and its applications. It became clear the network had been attacked and the outside IT provider immediately went to the backups, only to find out that there were none. Unfortunately, the cloud provider could not restore the deleted backups, leaving the user company unable to restore its data.


If you would like to discuss controls around your cloud-based solutions, please contact Michael Camacho at mcamacho@citrincooperman.com or Kevin Ricci at kricci@citrincooperman.com to set up a call.

Our specialists are here to help.

Get in touch with a specialist in your industry today.

* Required

* I understand and agree to Citrin Cooperman’s Privacy Notice, which governs how Citrin Cooperman collects, uses, and shares my personal information. This includes my right to unsubscribe from marketing emails and further manage my Privacy Choices at any time. If you are a California Resident, please refer to our California Notice at Collection. If you have questions regarding our use of your personal data/information, please send an e-mail to privacy@citrincooperman.com.