CISA warns about Sisense data breach

Business intelligence / data analytics software vendor Sisense has apparently suffered a data breach that spurred the company and the US Cybersecurity and Infrastructure Security Agency to push the company’s customers to “reset credentials and secrets potentially exposed to, or used to access, Sisense services.”

What is known about the Sisense data breach?

Details about the security incident are still being kept under wraps by Sisense.

A notification by the company’s chief information security officer – shared by cybersecurity journalist Brian Krebs – says the company is “aware of reports that certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.”

As they investigate the incident with the help of outside cybersecurity experts, they have urged customers to rotate any credentials they used within their Sisense application.

“CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations,” the US cybersecurity agency said, and asked Sisense customers to “investigate—and report to CISA—any suspicious activity involving credentials potentially exposed to, or used to access, Sisense services.”

Sisense customers include corporations like Nasdaq, Air Canada, Hive, and others.

Depending on the information that has been compromised, this has the potential of being a big deal. If customer credentials / secrets have been compromised and misused, threat actors might have had access to those organizations’ corporate data.

UPDATE (April 12, 2024, 05:35 a.m. ET):

Sisense CISO Sangram Dash has sent out another notificiation to the company’s customers, with more specific advice on what passwords, tokens, certificates, parameters, etc. have to be replaced, reset, or rotated.

Sisense customer notification (Source: Marc Rogers)

“The nature of sisense is they require access to their customers confidential data sources. They have direct access to JDBC connections, to SSH, and to SaaS platforms like Salesforce and many more. It also means they have tokens, credentials, certificates often upscoped,” noted Marc Rogers, Head of Security at DEF CON and founder of CTI League (a Global Volunteer Community-CERT).

“The data stolen from sisense contained all these tokens, credentials and access configurations. This is a worst case scenario for many sisense customers. These are often literally the keys to their kingdoms. Treat as an EXTREMELY serious event.”

Sisense is yet to confirm how the breach happened, though several sources told Brian Krebs that it all started with attackers gaining access to the company’s Gitlab code repository, where they found a token or credential that allowed them to access the company’s Amazon S3 buckets.