Canva's infosec resourcing 'still growing' two years after large data breach

Australian tech unicorn Canva has a "much larger" and "still growing" security team and access to "ever-increasing" investment more than two years after a large-scale data breach.

The company’s newly-appointed head of security Paul Clarke told a pre-recorded AWS event last week that the 2019 breach “had a really visceral impact on company executives”, underlining the need for sustained investment and resourcing as well as for a “company-wide focus” on security.

Canva’s systems were breached on Friday May 24 of 2019 and "up to" 139 million users’ details - comprising usernames, email addresses and hashed passwords - were stolen.

The company said at the time that it had stopped an in-progress “attack on our systems”. 

“Because the intruder was interrupted mid-attack they also took a different tactic to most security incidents and tweeted about the attack, which required a rapid communication response,” the company said in a notification.

Though pre-dating Clarke's time at Canva by several years, he elaborated on this aspect of the attack at the AWS event, saying his knowledge was drawn from reading the company’s “detailed post-incident reports” and “talking to people who were involved in” the response and mop-up.

“The event began from Canva’s perspective on a Friday - [because] ... all major security incidents begin as you’re going into the weekend,” he said.

“It started with an alert from one of our monitoring systems about unusual activity happening in one of Canva’s AWS accounts. 

“When the on-call engineer investigated they identified suspicious activity coming from a particular IP address using particular access credentials, and they quickly acted to block the access of what was at that point a presumed attacker. 

“The event then took a slightly unusual turn, in my personal experience, which was at the point that the attacker lost their access, they immediately contacted tech media journalists and went public on Twitter about their activity. 

“So Canva found itself in a situation where this was public domain knowledge on the same day that Canva had identified this issue and was trying to understand exactly what had happened.”

From his reconstructed understanding of the incident response, Clarke said Canva had “three streams of work” running concurrently.

“There was the technical response to understand what had actually happened, there was a communications plan response about informing our community about the potential impact to them, and then there was a third workstream which was focused on data privacy regulator notification and law enforcement engagement,” he said.

“We ultimately discovered that the attacker had been able to gain access to some Canva systems and they’d been able to take a copy of our user database which contained usernames, email addresses, and password hashes for users who logged in directly with Canva rather than using Google or Facebook to login, and that kind of informed our communication plan. 

“We have an immediate obligation to notify our community and we did that through different channels - through social media, direct email to customers, and constant updates on a dedicated security incident page on our website, and that page is still there today.”

The company’s initial emailed notification to users was criticised at the time for burying disclosure of the breach under unrelated marketing information.

Speaking broadly about its communications plan, Clarke said it was challenging to translate into all the languages spoken by its user base.

He said the incident had “influenced the culture at Canva”, resulting in more resourcing and investment being put behind security.

“This event from two years ago had a really visceral impact on company executives,” he said.

“They truly understand that security incidents, security breaches are part of the business’s existential risk now and need to be managed as such, so there is real understanding from the very top of the company that this really matters and it needs company-wide focus. 

“More specifically there’s been an ever-increasing investment in security, so the security group is much larger than it was two years ago and it’s still growing. Our investment in tools and trusted partners continues to grow. 

“I think it’s just widely acknowledged across the company that security is as important to the business as feature development [or] customer acquisition.”

Clarke added that the breach highlighted the importance of being well-practiced at incident response.

“To be efficient and effective during an incident, you must have practiced outside of that pressurised situation,” he said.

“Know your incident response plan, know who is responsible for which elements of it, and practice, practice, practice.”