Security experts commended Zscaler for its response to a security breach reported to have affected one of its test environments last week, although as the dust begins to settle, the extent of the incident remains unclear.
Stakeholders in the cyber sector said that Zscaler’s conduct sets a good example of how businesses should disclose security incidents in a threat landscape defined by an increased frequency of attacks.
But continued uncertainty about what systems were accessed in the attack have slightly undermined their attempts to quell customer fears surrounding the incident.
On 6 May, a threat actor known as IntelBroker claimed it had breached a ‘famous cyber security company” on an underground hacker forum, confirming the firm in question was, in fact, Zscaler later that day.
IntelBroker was responsible for a recent data breach in which it exposed personal information relating to over 10,000 Home Depot employees in April 2024, and said it was selling access to the Zscaler for $20,000.
Zscaler issued an update notifying customers that the company was investigating a security incident on 8 May, promising to disclose whether its investigation found any evidence of a breach or compromise.
Scrutinizing statements from threat actors is important as businesses try to counter the damage caused by fake data breach claims, such as a case involving Europcar where hackers falsely claimed to have stolen personal information pertaining to 50 million customers.
Dark Web Informer, who first tweeted about the incident on 8 May, said IntelBroker does not have a previous track record of lying about its activities, and also applauded Zscaler for their transparency in response to the incident.
Martin J. Kraemer, security awareness officer at KnowBe4, told ITPro Zscaler’s conduct following the breach was commendable, noting the damage firms can cause by trying to cover up security incidents.
“Zscaler's management of the situation is indeed commendable. I, too, applaud them for their clear and proactive communication, demonstrating their commitment to investigating the situation with their customers' and business partners' needs at the forefront of their actions. This exemplifies excellent PR management of a cyber incident,” he explained.
“Incident response often falls short when organizations attempt to conceal their lack of understanding of the situation, inadvertently revealing their inability to effectively manage cyber risks.
“In today's interconnected world, both internal and external communication are paramount in mitigating reputational damage. It may take several days to ascertain the extent of data loss and the impact on employees and customers. Failing to communicate effectively during this critical period can lead to significant reputational harm.”
Kraemer added that this approach is a refreshing change with respect to many companies, such as AT&T or 23andMe, who both tried to deny claims of security incidents before eventually having to admit they were breached.
“Zscaler's approach here sets them apart from many other organizations that succumb to the natural human emotions of uncertainty, which often give rise to fear, anxiety, hopelessness, helplessness, or denial,” Kraemer argued.
“Effective communication and PR strategies acknowledge uncertainty by transparently conveying what is known, what remains unknown, and the steps being taken to mitigate risks and reduce uncertainty. By taking this crucial first step, Zscaler demonstrates commendable competence and serves as a potential role model for other organizations to follow.”
Zscaler updates kept customers in the loop
In its first security update acknowledging the alleged breach, Zscaler did not comment on its veracity but simply stated that it had launched an investigation into the incident noting “we take every potential threat and claim very seriously and will continue our rigorous investigation”.
A few hours into the investigation, the cloud security company said that it was prioritizing customer and production environments and that it had not discovered any evidence of a cyber incident or compromise to any of these environments.
Later that night, the firm issued another update confirming the incident did not impact its customer, production, and corporate environments, but that its investigation had identified an isolated test environment on a single server that was exposed to the internet.
Zscaler took the affected test environment offline for forensic analysis, claiming the environment was neither hosted on its infrastructure or connected to any of the company’s other environments.
The company issued an update the next day confirming further investigation had not yielded any evidence of impacts to customer, production, or corporate environments, adding that it had engaged a third party incident response firm to conduct forensic analysis.
This status was restated in an update on 10 May, the most recent notification to Zscaler customers, but speculation has arisen around a number of screenshots provided by IntelBroker as evidence of the breach.
The screenshots contained the names of some of Zscaler’s mail servers, which could indicate the breach goes beyond the single test environment that was originally claimed.
In a Mastodon post from a Zscaler employee, customers were advised to rely on the company’s official statements, warning that false information could generate unwarranted panic.
“We encourage our community to rely solely on Zscaler’s official channels for accurate technical updates. Claims of compromise are fabricated to create unnecessary panic. Zscaler remains proactive, safeguarding its environments with advanced security measures to uphold customer trust.”
The employee claimed Zscaler maintains a number of isolated test systems for training purposes and intentionally left this server exposed to the internet to "test potential breach scenarios and evaluate security protocols", speculating the system was a honeypot, but could not confirm this.
