Breach, Cloud Security, Data Security

Breach exposes data associated with customers of Imperva’s Cloud WAF product

Cybersecurity company Imperva today disclosed a data breach that impacts certain customers of its Cloud Web Application Firewall (WAF) product who had accounts through Sept. 15, 2017.

The breach exposed email addresses, hashed and salted passwords, and, for a subset of customers, API keys and customer-provided SSL certificates. In a company blog post, Imperva says it first became aware of the incident on Aug. 20. Additional details pertaining to the nature of incident, including the cause and the number of individuals impacted, were not revealed in the announcement.

In response to the incident, the Redwood City, California-based firm says that it has delegated responsibilities to both an internal data security response team and outside forensics experts, and has commenced outright to global regulatory agencies as well as affected customers. It has also forced password rotations and 90-day expirations in the Cloud WAF product.

On its website, Imperva says that its Cloud WAF product, formerly known as Incapsula, "protects against all application security threats, including SQL injection, cross-site scripting (XSS) and remote file inclusion (RFI), and more... You can easily build custom WAF rules and secure your API interfaces." The product page also says that the solution provides automated virtual patching, and offers additional services including bot control, account takeover protection, backdoor protection, two-factor authentication and SIEM integration.

Imperva is recommending that Cloud WAF customers further protect themselves by changing their passwords, instituting Single Sign-On and two-factor authentication, generate and upload new SSL certificates, and reset API keys.

The news opened up Imperva to criticism from other companies that offer security solutions designed to protect cloud-based data and systems. "While we often point to lack of maturity of security operations or misconfiguration of cloud systems as to why a company would miss an attack, it is even more unfortunate when a security vendor who builds a cloud security product is compromised that should have the skills and capabilities to detect and respond to cyberattacks," said Chris Morales, head of security analytics at threat detection and response company Vectra. "As a security vendor, I know our own industry must practice the same vigilance we preach. Even then, we must assume a breach can occur and be prepared to respond before information is stolen that can impact our clients."

"Data breaches will inevitably happen. In this case it appears that the primary information that was breached was email address (presumably the user id) and salted password," said Jim Reavis, CEO of the Cloud Security Alliance. "Given that this is a credential theft, the biggest lesson learned is the utility of multi-factor authentication. Strong authentication renders this type of breach inconsequential, as the attacker can do nothing without access to the second factor."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.