What Yesterday’s Gmail Attack Taught Us

Data Protection is a shared responsibility. The Internet was all abuzz yesterday when a sophisticated Gmail phishing attack hit.  The rogue email, often appearing to be sent from one of your contacts, masqueraded as a Google Docs sharing request, but in actuality was a link that requests the user to grant access to an application […]

**Data Protection is a shared responsibility.**The Internet was all abuzz yesterday when a sophisticated Gmail phishing attack hit.  The rogue email, often appearing to be sent from one of your contacts, masqueraded as a Google Docs sharing request, but in actuality was a link that requests the user to grant access to an application called “Google Docs.” [For more information on the scope of the attack and its resolution, read this article on Motherboard.]While it appears no data was lost, this malicious campaign is a strong reminder for individuals and the organizations they work for that there is a clear and proven risk associated with SaaS applications. It’s a simple fact: companies that rely on SaaS applications are exposed to data loss.

It can’t be stated enough that SaaS vendors (like Google) do a good job of protecting you from data loss originating on their side, e.g. infrastructure issues, application issues, but cannot protect you from data loss originating from within your organization, like someone clicking on yesterday’s email scam. Other common data loss scenarios we hear about at Spanning are ransomware attacks originating from a compromised laptop, misconfigurations by administrators, common user mistakes and malicious insiders who destroy or alter data for personal gain.

Google did a great job tamping down the attack and stopping the campaign within approximately one hour. But what happens next time?

This attack was fairly easy for Google to stop since it’s execution was isolated to a single point, the rogue application (“Google Docs”) that was registered to a random Gmail account. The next time, it could easily be a real Google Doc or Sheet that has embedded Google Script code that could run as the user and wreak havoc on users’ data. Think back to when phishing was primarily carried out using attachments with Microsoft macros.  If this ever happens with Google Docs, it might be much more difficult for Google to control and stop.

Data protection for SaaS data is a shared responsibility between the SaaS provider and your organization. How are you covering your half of that responsibility? If you’re not sure or not confident, take the time to learn more about the benefits of an automated, cloud-to-cloud backup solution that can provide point-in-time snapshots and rapid recovery for your organization.

Download our 3-Step Guide to SaaS Data Protection