On April 11, 2024, CISA announced an investigation of a data compromise event within Sisense. This blog provides an overview of steps you can take to protect your organization and your 3rd party network as well as a summary of our investigation and mitigation efforts.

Description

Sisense is a data visualization company with a variety of applications to process, analyze, and visualize data. Many organizations across all industries use Sisense, and as a result, this situation could have widespread implications for organizations of all sizes and industries across the world.

Severity and Impact

The situation has been identified by CISA as significant to the extent that it “is taking an active role in collaborating with private industry partners to respond” and will be providing updates as they become available.

Brian Krebs has reported that, "Those sources said the breach appears to have started when the attackers somehow gained access to the company’s code repository at Gitlab, and that in that repository was a token or credential that gave the bad guys access to Sisense’s Amazon S3 buckets in the cloud. Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates."

As of now, there is no vulnerability associated with this breach. However, it is still important to quickly assess the impact and risk both internally and within your third-party population. Take action now and follow these steps to assess the potential impact.

Step 1: Determine if you are at risk

If you are using any Sisense services your organization is at risk. See Step 2
The Sisense breach may indirectly impact your organization if your vendors use Sisense as a subprocessor. Check application access logs for those keys/tokens/SSL certs and check in with your vendors to determine impact and if any malicious access took place.
To Assess whether your Third Parties are using any SiSense services and if there is any associated impact, you can access the Sisense Breach Response Questionnaire in the Whistic platform under our Questionnaire Standards Library by clicking here.

Step 2: Immediately rotate credentials and secrets related to the affected services.

CISA is urging their customers to:
- Immediately reset credentials and rotate all keys/tokens/SSL certs potentially exposed to, or used to access, Sisense services.
- Investigate—and report to CISA—any suspicious activity involving credentials potentially exposed to, or used to access, Sisense services.

Does this affect Whistic?

As a result of our investigation, we have determined that this situation does not directly impact Whistic. Whistic does not use Sisense products, and we haven't identified any of our third parties that use Sisense products. We have a structured approach to vulnerability identification and remediation using technologies in both the development lifecycle and in our stage and production environments.