RiskEvents

Developing event. Generated by AI and subject to further corroboration and review.

DevelopingMedium impactAI Refreshed

ServiceNow discloses API vulnerability exposing customer instance data

Occurred 5 Jun 2026·Detected 9 Jun 2026·
🇺🇸 ServiceNow is a US-headquartered enterprise SaaS provider; affected instances are globally distributed, with specific exposure on the Australia platform release region6 reports
CyberEnvironmental & IndustrialCyberCasualty & Liability

ServiceNow disclosed that attackers exploited an unauthenticated API endpoint on its enterprise SaaS platform to query customer instance data. The vendor applied a security update to hosted instances on June 5, 2026, and is notifying affected customers via support cases. Exposure is concentrated on the Australia platform release and older releases with specific configuration changes. Reporting from BleepingComputer, TechCrunch, and TechRadar corroborates the disclosure, while vendor opacity on affected customer count, access duration, and exfiltration scope continues to constrain downstream severity banding.

AI-generated from linked source reports. See our correction policy.

Impact verdict

Medium impact. MEDIUM: ServiceNow is a widely deployed enterprise SaaS platform used by large corporates likely insured across London cyber, tech E&O, and casualty books, creating aggregated supply-chain exposure on first-party and third-party liability covers. Public reporting indicates queried instance data may include IT support tickets, internal documentation, employee records, asset inventories, security incident reports, and potentially credentials or API tokens, elevating downstream incident-response and notification burden. Materiality is tempered by the absence of confirmed mass exfiltration, ransomware activity, or critical-infrastructure impact, and by vendor containment via the June 5 hosted-instance update. Vendor opacity on scope per TechRadar constrains severity banding absent insurer-side notification data.

View assessment methodology

How we grade what we know -- Known · Reported · Uncertain. Methodology →

Intelligence ledger

Each line expands in place to its underlying sourced claim.

AI refreshed 16 Jun 2026, 08:04

Known52 lines

ServiceNow applied a security update to hosted customer instances on June 5, 2026
structured lineknown
No separate sourced-claim record is available for this line yet.
Attackers exploited an unauthenticated access flaw through a vulnerable API endpoint (/api/now/related_list_edit/create)
structured lineknown
No separate sourced-claim record is available for this line yet.
The API endpoint was allegedly configured with requires_authentication=false
structured lineknown
No separate sourced-claim record is available for this line yet.
Attackers successfully queried customer instance tables
structured lineknown
No separate sourced-claim record is available for this line yet.
ServiceNow has opened support cases with affected customers
structured lineknown
No separate sourced-claim record is available for this line yet.
Vulnerability primarily impacts customers on Australia platform release or older releases with specific configuration changes
structured lineknown
No separate sourced-claim record is available for this line yet.
No public reporting indicates ransomware activity, mass exfiltration confirmation, or critical-infrastructure impact associated with the incident to date.
no_ransomware_or_critical_infra_impact_reportedseverity temperingvalid from 16 Jun 2026, 00:00Cyber
Market relevance: Absence of ransomware or critical-infrastructure impact tempers severity banding absent further evidence.
Materiality is tempered by the absence of confirmed mass exfiltration, ransomware activity, or critical-infrastructure impact” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Disclosure and customer notification are corroborated by BleepingComputer, TechCrunch, and TechRadar reporting.
event_acknowledged_in_multiple_mainstream_and_trade_sourcessource corroborationCyber
Market relevance: Multi-source corroboration supports confidence in the disclosure and notification facts while highlighting vendor opacity on scope.
techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
techradar.com · 10 Jun 2026, 14:00 · mainstream media
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Public reporting has not confirmed mass exfiltration, ransomware activity, or critical-infrastructure impact in connection with the ServiceNow incident.
no_confirmed_ransomware_or_critical_infra_impactseverity ceilingvalid from 15 Jun 2026, 03:41Cyber
Market relevance: Absence of confirmed mass exfiltration or ransomware activity tempers severity banding under the PQER rubric.
won't reveal much on what actually happened” — techradar.com · 10 Jun 2026, 14:00 · mainstream media
the number of affected customers, duration of access, and scope of exfiltration remain unconfirmed” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Vulnerability impact is primarily concentrated on customers using the Australia platform release and on older ServiceNow releases with specific configuration changes; the broader installed base exposure is not quantified in public reporting.
exposure_scope_australia_release_and_legacyloss driver evidencevalid from 9 Jun 2026, 22:21Cyber
Market relevance: Scope of exposed instances informs the size of the insured population potentially triggering breach notification and incident response covers.
Vulnerability primarily impacts customers on Australia platform release or older releases with specific configuration changes” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Exposure is primarily concentrated on customers on the ServiceNow Australia platform release and on older releases with specific configuration changes.
exposure_scope_australia_and_legacy_releasesgeographic scope definedvalid from 9 Jun 2026, 22:21Cyber
Market relevance: Limits aggregated exposure footprint for global insureds while concentrating impact in Australia-region customers.
primarily impacts customers on Australia platform release or older releases with specific configuration changes” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Public reporting does not confirm ransomware activity, mass data exfiltration, or critical-infrastructure impact associated with the disclosed flaw.
servicenow_no_confirmed_ransomware_or_critical_infra_impactincident responseCyber
Market relevance: Absence of confirmed ransomware or critical-infrastructure impact tempers severity banding under the PQER rubric.
techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Vulnerability primarily impacts customers on the Australia platform release or on older releases with specific configuration changes.
exposure_australia_release_and_olderscope definitioncyber
Market relevance: Geographic and version scope helps underwriters identify potentially exposed insureds and accumulation risk.
ServiceNow tells customers a bug left some of their data exposed to the internet” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow is a US-headquartered enterprise SaaS provider with globally distributed hosted instances; affected instances are concentrated on the Australia platform release region.
servicenow_vendor_profilesupply chain exposurecyber
Market relevance: US-headquartered SaaS vendor with global reach drives broad insured accumulation potential across London cyber and tech E&O books.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Impact is concentrated on customers on the Australia platform release or on older releases with specific configuration changes.
affected_release_scopescope clarificationcyber
Market relevance: Defines the population of ServiceNow customers plausibly exposed; useful for portfolio segmentation across cyber and tech E&O books.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
The vulnerability primarily impacts customers on the Australia platform release or older releases with specific configuration changes.
affected_platform_releasesexposure segmentationvalid from 9 Jun 2026, 22:21Cyber
Market relevance: Helps London market underwriters map exposure to insureds operating on specific ServiceNow platform versions
The vulnerability primarily impacts customers on Australia platform release or older releases with specific configuration changes” — BleepingComputer · 10 Jun 2026, 02:09
The exploited endpoint is identified as /api/now/related_list_edit/create, allegedly configured with requires_authentication=false.
vulnerable_endpoint_identifiedtechnical iocvalid from 9 Jun 2026, 22:21Cyber
Market relevance: Technical detail relevant to incident-response and forensic scoping for insureds and their incident response providers.
Attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances.” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Vulnerability primarily impacts customers on the Australia platform release and on older releases with specific configuration changes.
exposure_concentrated_australia_releasegeographic concentrationvalid from 9 Jun 2026, 22:21Cyber
Market relevance: Regional concentration informs geographic exposure mapping for London cyber underwriters with APAC books.
ServiceNow tells customers a bug left some of their data exposed to the internet” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
Vulnerability primarily impacts customers on Australia platform release or older releases with specific configuration changes.” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow disclosed that attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances.
servicenow_unauthenticated_api_vulnerability_disclosedsupply chain cyber exposurevalid from 9 Jun 2026, 22:21Cyber
Market relevance: Aggregated supply-chain exposure for London cyber and tech E&O books given ServiceNow's enterprise SaaS footprint.
The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Supersession history: 1 prior/revised claim rows.
The exploited API endpoint is /api/now/related_list_edit/create, which was allegedly configured with requires_authentication=false.
vulnerable_api_endpoint_related_list_edit_createtechnical indicatorCyber
Market relevance: Technical vulnerability detail relevant to insurer underwriting reviews of customer configuration baselines.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Supersession history: 1 prior/revised claim rows.
Exposure is concentrated on customers on the Australia platform release and on older releases with specific configuration changes.
exposure_concentrated_australia_release_and_legacy_configsexposure scopeCyber
Market relevance: Geographic and configuration concentration of exposure informs portfolio exposure mapping, particularly for insureds with Australian operations or legacy instances.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Attackers exploited an unauthenticated access flaw via a vulnerable ServiceNow API endpoint (reported as /api/now/related_list_edit/create) that was configured with requires_authentication=false, allowing query access to customer instance tables.
vulnerability_unauthenticated_api_endpointloss driver evidencevalid from 9 Jun 2026, 22:21Cyber
Market relevance: Technical root cause details are relevant to cyber underwriting triage of similar misconfiguration risk across other SaaS deployments.
The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Attackers exploited an unauthenticated API endpoint vulnerability, configured with requires_authentication=false, to query customer instance tables.
attack_vector_unauthenticated_api_endpointattack vector identifiedvalid from 9 Jun 2026, 22:21Cyber
Market relevance: Configuration-driven misconfiguration is a recurring insured loss driver across cyber portfolios.
unauthenticated API endpoint vulnerability” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow disclosed a security incident in which attackers exploited an unauthenticated API endpoint vulnerability to query data from customer instances on its enterprise SaaS platform.
servicenow_disclosed_api_vulnerabilityloss notification riskvalid from 10 Jun 2026, 00:00Cyber
Market relevance: Confirms the trigger event for downstream London cyber and tech E&O notification activity from affected SaaS customers.
ServiceNow tells customers a bug left some of their data exposed to the internet” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
ServiceNow discloses security incident exposing customer data” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Supersession history: 1 prior/revised claim rows.
Attackers exploited the unauthenticated API endpoint /api/now/related_list_edit/create, which was reportedly configured with requires_authentication=false, to query customer instance tables.
vulnerable_api_endpoint_identifiedloss notification riskvalid from 10 Jun 2026, 00:00Cyber
Market relevance: Specifies the vulnerability mechanism driving insured incident-response and forensic costs.
The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Exposure is concentrated on customers running the Australia platform release and on older releases with specific configuration changes.
exposure_concentrated_on_australia_releaseloss notification riskvalid from 10 Jun 2026, 00:00Cyber
Market relevance: Geographic concentration of exposure helps underwriters scope potential insured notifications, particularly for APAC-headquartered insureds.
Vulnerability primarily impacts customers on Australia platform release or older releases with specific configuration changes” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Attackers successfully queried customer instance tables via the vulnerable endpoint, confirming unauthorized data access (not merely theoretical exposure).
servicenow_attackers_queried_customer_instance_tablesdata exposureCyber
Market relevance: Confirmed data access satisfies the unauthorized-access trigger under typical cyber and tech E&O policy wording.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow disclosed a security incident in which attackers exploited an unauthenticated API endpoint vulnerability to query data from customer instances.
servicenow_disclosure_unauthenticated_api_flawsupply chain exposurevalid from 9 Jun 2026, 22:21Cyber
Market relevance: Confirmed vendor disclosure of an unauthenticated access flaw on a widely deployed enterprise SaaS platform; directly implicates cyber and tech E&O supply-chain exposure.
ServiceNow tells customers a bug left some of their data exposed to the internet” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Vulnerability primarily impacts customers on the Australia platform release or on older releases with specific configuration changes.
servicenow_exposure_scope_australia_and_older_releasessupply chain exposureCyber
Market relevance: Scoped exposure helps underwriters identify potentially affected insureds by region and platform version.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Attackers successfully queried customer instance tables following exploitation of the unauthenticated API endpoint.
attackers_queried_customer_instance_tablesdata access eventvalid from 9 Jun 2026, 22:21Cyber
Market relevance: Confirms unauthorised data access occurred, supporting first-party and potentially third-party cyber claim triggers
Attackers successfully queried customer instance tables” — BleepingComputer · 10 Jun 2026, 02:09
The event is classified as a supply-chain SaaS incident with potential aggregated exposure across London cyber and tech E&O portfolios.
supply_chain_saas_classificationaggregated exposurevalid from 10 Jun 2026, 16:19Cyber
Market relevance: Supply-chain SaaS incidents can aggregate loss across many insureds via a single vendor dependency.
widely used enterprise cloud platform, potentially implicating cyber liability and data breach coverage” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
supply-chain/enterprise SaaS breach” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Event lifecycle is developing, with corroboration threshold met and ongoing source monitoring.
lifecycle_status_developinglifecycle signalvalid from 15 Jun 2026, 23:52Cyber
Market relevance: Lifecycle position supports active monitoring posture for cyber underwriters.
Source · 16 Jun 2026, 08:04
ServiceNow applied a security update to hosted customer instances on June 5, 2026, and has opened support cases with affected customers.
vendor_patch_applied_june_5_2026containment eventvalid from 5 Jun 2026, 00:00Cyber
Market relevance: Vendor containment supports partial severity mitigation but does not eliminate downstream notification and incident-response burden.
ServiceNow applied a security update to hosted customer instances on June 5, 2026, and has opened support cases with affected customers.” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow has opened support cases with affected customers and has stated that all impacted organizations have been notified.
customer_notifications_issuednotification triggervalid from 10 Jun 2026, 16:19Cyber
Market relevance: Drives insured-side notification timelines, breach response activation, and regulatory disclosure clocks across multiple jurisdictions.
ServiceNow tells customers a bug left some of their data exposed to the internet” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
SNOW did confirm that unauthorized access happened. They also claim they have notified all impacted orgs, so if you didn't get an email you're ok for now.” — r/cybersecurity · 9 Jun 2026, 21:39 · social community
ServiceNow applied a security update to hosted customer instances on June 5, 2026.
servicenow_security_update_june_5_2026containment actionvalid from 5 Jun 2026, 00:00Cyber
Market relevance: Vendor containment limits ongoing exposure but does not eliminate notification and forensic exposure for previously affected instances.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow has opened support cases with affected customers.
servicenow_opened_support_cases_with_affected_customersnotification trailvalid from 9 Jun 2026, 22:21Cyber
Market relevance: Direct vendor-to-customer notification creates a documented notification trail relevant to cyber claim triggers and regulatory notification timelines.
techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Event tracked as a signal-stage supply-chain SaaS incident pending confirmed scope and loss data.
event_lifecycle_status_signallifecycle statusCyber
Market relevance: Signal-stage tracking indicates early-phase event; ongoing monitoring required for claim notifications.
techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow has opened support cases with affected customers to notify them of the security incident and required remediation actions.
customer_notifications_openedclaims indicatorvalid from 10 Jun 2026, 16:19Cyber
Market relevance: Customer notifications are a leading indicator of expected cyber claims activity under first-party breach response and third-party liability covers.
ServiceNow tells customers a bug left some of their data exposed to the internet” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
ServiceNow has opened support cases with affected customers” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow applied a security update to hosted customer instances on June 5, 2026, addressing the unauthenticated API endpoint vulnerability.
vendor_security_update_june_5_2026vendor containmentvalid from 5 Jun 2026, 00:00Cyber
Market relevance: Confirms vendor-side containment action, relevant to cyber underwriters assessing residual exposure on patched vs. self-hosted instances.
ServiceNow discloses security incident exposing customer data” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow applied a security update to hosted customer instances on June 5, 2026 to remediate the unauthenticated API endpoint vulnerability.
vendor_security_update_appliedcontainmentvalid from 9 Jun 2026, 22:21Cyber
Market relevance: Supply-chain SaaS incident; remediation date bounds ongoing exposure window for insured customers.
ServiceNow tells customers a bug left some of their data exposed to the internet” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
The event remains in signal lifecycle status pending confirmation of scale and exfiltration scope.
lifecycle_status_signallifecyclevalid from 10 Jun 2026, 16:19Cyber
Market relevance: Signal status means underwriting and claims teams should monitor for confirmation updates.
ServiceNow discloses security incident exposing customer data” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Supersession history: 1 prior/revised claim rows.
ServiceNow has opened support cases with affected customers to coordinate response and notification.
vendor_support_cases_openedcustomer notificationvalid from 9 Jun 2026, 22:21Cyber
Market relevance: Direct vendor notification may trigger insured notification duty and breach-response coverage.
prompting notifications to affected customers” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
ServiceNow has opened support cases with affected customers” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow has opened support cases with affected customers as part of its incident response.
support_cases_opened_with_affected_customersloss notification riskvalid from 10 Jun 2026, 00:00Cyber
Market relevance: Confirms formal notification flow to insureds, a key trigger for first-party cyber notification costs and coverage review.
ServiceNow has opened support cases with affected customers” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow deployed a security update to hosted customer instances on June 5, 2026, to remediate the vulnerability.
vendor_applied_security_update_june_5_2026loss notification riskvalid from 5 Jun 2026, 00:00Cyber
Market relevance: Vendor containment action supports characterisation as a contained supply-chain event rather than an active compromise, tempering severity.
ServiceNow applied a security update to hosted customer instances on June 5, 2026” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow applied a security update to hosted customer instances on June 5, 2026, as the containment action for the disclosed flaw.
servicenow_june5_security_update_deployedincident responsevalid from 5 Jun 2026, 00:00Cyber
Market relevance: Vendor containment limits ongoing exposure; relevant to loss-trigger and incident-response timing under cyber policies.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow has opened support cases with affected customers to communicate exposure and remediation steps.
servicenow_support_cases_opened_for_affected_customersclaims notificationCyber
Market relevance: Confirmed customer notification signals potential downstream notification and regulatory reporting triggers for insureds.
techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow deployed a security update to hosted customer instances on June 5, 2026.
patch_deployed_june_5_2026containmentvalid from 5 Jun 2026, 00:00cyber
Market relevance: Patch deployment reduces ongoing attacker access risk; containment milestone for incident timeline.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow has opened support cases with affected customers as part of its notification process.
support_cases_openednotification triggervalid from 10 Jun 2026, 16:19cyber
Market relevance: Active customer notification supports incident-response and notification-cost coverage triggers under cyber policies.
techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
ServiceNow publicly disclosed a security incident in which an unauthenticated API endpoint flaw was exploited to query data from hosted customer instances; a security update was applied to hosted instances on June 5, 2026, and support cases were opened with affected customers.
vendor_disclosure_of_api_vulnerabilitysupply chain exposurevalid from 9 Jun 2026, 22:21cyber
Market relevance: Vendor-side vulnerability disclosure affecting a widely deployed enterprise SaaS platform; relevant to cyber supply-chain exposure aggregation.
ServiceNow tells customers a bug left some of their data exposed to the internet” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow applied a security update to hosted customer instances on June 5, 2026 to remediate the vulnerability.
servicenow_security_update_applied_june_5_2026remediation timelinevalid from 9 Jun 2026, 22:21Cyber
Market relevance: Indicates remediation timeline, reducing ongoing exposure window for unpatched hosted instances
ServiceNow applied a security update to hosted customer instances on June 5, 2026” — BleepingComputer · 10 Jun 2026, 02:09
ServiceNow has opened support cases with affected customers to notify them of the incident.
servicenow_support_cases_openedcustomer notificationvalid from 9 Jun 2026, 22:21Cyber
Market relevance: Confirms official notification pathway is active, relevant to notification triggers and breach-response coverage
ServiceNow has opened support cases with affected customers” — BleepingComputer · 10 Jun 2026, 02:09
ServiceNow disclosed a security incident involving an unauthenticated API endpoint flaw that could allow unintended access to customer instances.
servicenow_security_incident_disclosuresupply chain cyber exposurevalid from 9 Jun 2026, 22:21Cyber
Market relevance: Vendor-side vulnerability in widely used enterprise SaaS platform with potential aggregated exposure across insured customer base
The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.” — BleepingComputer · 10 Jun 2026, 02:09

Reported35 lines

Instance data may include IT support tickets, employee records, internal documentation, asset inventories, security incident reports, and configuration details
structured linereported
No separate sourced-claim record is available for this line yet.
Indicators of compromise include API requests from IP address 51.159.98.241
structured linereported
No separate sourced-claim record is available for this line yet.
Support cases and tickets may contain credentials, API tokens, and authentication secrets
structured linereported
No separate sourced-claim record is available for this line yet.
TechRadar reports that ServiceNow has revealed a security issue but will not disclose details on what specifically happened, constraining downstream insured-impact assessment.
vendor_opacity_on_scopedisclosure uncertaintyvalid from 15 Jun 2026, 03:41Cyber
Market relevance: Vendor disclosure limitations constrain insurer-side severity banding and may prolong uncertainty across cyber and casualty lines.
ServiceNow reveals security issue affecting customer data, but won't reveal much on what actually happened” — techradar.com · 10 Jun 2026, 14:00 · mainstream media
ServiceNow has declined to disclose specifics on the nature or scope of the incident, limiting downstream insured-impact assessment.
vendor_opacity_on_scope_and_naturetransparency constraintCyber
Market relevance: Vendor opacity constrains severity banding and insured-side notification scoping; may drive regulator or customer-side inquiries.
ServiceNow reveals security issue affecting customer data, but won't reveal much on what actually happened” — techradar.com · 10 Jun 2026, 14:00 · mainstream media
Public reporting indicates queried instance data may include IT support tickets, internal documentation, employee records, asset inventories, security incident reports, and configuration details; support cases and tickets may further contain credentials, API tokens, and authentication secrets.
queried_data_categories_include_sensitive_recordsloss driver evidencevalid from 9 Jun 2026, 22:21Cyber
Market relevance: Sensitive data categories drive notification obligations, regulatory exposure, and potential third-party liability under tech E&O covers.
Instance data may include IT support tickets, employee records, internal documentation, asset inventories, security incident reports, and configuration details” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
The vendor has disclosed the existence of the bug and notified customers, but has not publicly disclosed specifics on the nature, scope, or root cause of the incident, limiting insurer-side assessment of insured impact.
vendor_disclosure_transparency_limitedinformation gapvalid from 15 Jun 2026, 03:41Cyber
Market relevance: Limited vendor transparency constrains underwriting ability to scope aggregated exposure across cyber and casualty books.
ServiceNow reveals security issue affecting customer data, but won't reveal much on what actually happened” — techradar.com · 10 Jun 2026, 14:00 · mainstream media
Reporting indicates queried instance data may include IT support tickets, internal documentation, employee records, asset inventories, security incident reports, configuration details, and potentially credentials or API tokens.
data_categories_potentially_exposeddata exposure scopevalid from 9 Jun 2026, 22:21Cyber
Market relevance: Inclusion of credentials/secrets raises downstream incident-response and notification severity for insureds.
instance data may include IT support tickets, employee records, internal documentation, asset inventories, security incident reports” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Public reporting does not confirm mass data exfiltration, ransomware activity, or critical-infrastructure impact associated with the incident.
no_confirmed_mass_exfiltration_or_ransomwareloss notification riskvalid from 10 Jun 2026, 00:00Cyber
Market relevance: Absence of confirmed mass exfiltration or ransomware activity caps initial severity for London cyber portfolios.
ServiceNow tells customers a bug left some of their data exposed to the internet” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
absent of confirmed mass data exfiltration, ransomware activity, or critical-infrastructure impact” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Instance data potentially exposed may include IT support tickets, employee records, internal documentation, asset inventories, security incident reports, and configuration details.
servicenow_potential_data_categories_at_riskdata exposureCyber
Market relevance: Breadth of potentially exposed data categories elevates notification, regulatory, and third-party liability exposure for insureds.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Support cases and tickets may contain credentials, API tokens, and authentication secrets, increasing downstream secret-rotation and credential-reuse risk.
servicenow_credentials_or_tokens_may_reside_in_ticketsdata exposureCyber
Market relevance: If confirmed, presence of credentials and API tokens in exposed tickets materially increases third-party liability and incident-response severity.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
ServiceNow is a US-headquartered enterprise SaaS provider; affected instances are globally distributed, with specific exposure on the Australia platform release region.
servicenow_global_instance_distributionsupply chain exposureCyber
Market relevance: Global instance distribution and US vendor headquarters inform cross-jurisdictional regulatory and notification exposure for insureds.
techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
Instance data potentially exposed may include IT support tickets, employee records, internal documentation, asset inventories, security incident reports, and configuration details. Reporting further indicates support cases and tickets may contain credentials, API tokens, and authentication secrets.
potential_instance_data_categoriesdata exposure characterizationcyber
Market relevance: Sensitive data categories within ServiceNow instances, including potential secrets in tickets, drive notification, regulatory, and third-party liability exposure for insureds.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Potentially exposed instance data may include IT support tickets, employee records, internal documentation, asset inventories, security incident reports, and configuration details. Support cases and tickets may contain credentials, API tokens, and authentication secrets.
affected_instance_data_categoriespotential secrets exposurevalid from 9 Jun 2026, 22:21Cyber
Market relevance: If credentials or secrets were exposed, downstream third-party liability and notification costs could escalate cyber loss potential
Instance data may include IT support tickets, employee records, internal documentation, asset inventories, security incident reports, and configuration details” — BleepingComputer · 10 Jun 2026, 02:09
Instance data that may have been queried includes IT support tickets, internal documentation, employee records, asset inventories, security incident reports, and configuration details. Support cases and tickets may contain credentials, API tokens, and authentication secrets.
potentially_exposed_data_categoriesdata exposure scopevalid from 9 Jun 2026, 22:21Cyber
Market relevance: Material to first-party and third-party cyber liability coverage assessment, particularly credential rotation and regulatory notification obligations.
Instance data may include IT support tickets, employee records, internal documentation, asset inventories, security incident reports, and configuration details” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Supersession history: 1 prior/revised claim rows.
Indicators of compromise include API requests from IP address 51.159.98.241.
indicator_of_compromise_ipioc releasevalid from 9 Jun 2026, 22:21Cyber
Market relevance: Actionable IOC for insured-side threat hunting and incident-response providers.
Indicators of compromise include API requests from IP address 51.159.98.241” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Supersession history: 1 prior/revised claim rows.
Queried instance data may include IT support tickets, internal documentation, employee records, asset inventories, security incident reports, configuration details, and potentially credentials, API tokens, and authentication secrets.
queried_data_categories_potentially_include_credentialsdata exposure scopeCyber
Market relevance: Inclusion of credentials and tokens in potentially exposed data elevates downstream incident-response, credential rotation, and notification burden for affected insureds.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Indicators of compromise include API requests originating from IP address 51.159.98.241.
ioc_api_requests_from_ip_51_159_98_241technical indicatorCyber
Market relevance: IoC supports forensic triage and detection engineering across insured environments using ServiceNow.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
A published indicator of compromise includes API requests originating from IP address 51.159.98.241.
ioc_ip_address_publishedioc publishedvalid from 9 Jun 2026, 22:21Cyber
Market relevance: Actionable IOC supports insured detection and forensic coverage utilisation.
Indicators of compromise include API requests from IP address 51.159.98.241” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Public reporting indicates queried instance data may include IT support tickets, employee records, internal documentation, asset inventories, security incident reports, and configuration details, and that support cases and tickets may contain credentials, API tokens, and authentication secrets.
instance_data_may_include_sensitive_recordsloss notification riskvalid from 10 Jun 2026, 00:00Cyber
Market relevance: Range of potentially exposed data categories elevates regulatory notification, breach response, and credential rotation costs for insureds.
Instance data may include IT support tickets, employee records, internal documentation, asset inventories, security incident reports, and configuration details” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Public reporting identifies IP address 51.159.98.241 as a published indicator of compromise associated with API requests exploiting the vulnerability.
indicator_of_compromise_ip_51_159_98_241loss notification riskvalid from 10 Jun 2026, 00:00Cyber
Market relevance: IoC supports insured forensic and threat-intel response, with potential E&O exposure for managed security providers.
Indicators of compromise include API requests from IP address 51.159.98.241” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
The exploited unauthenticated API endpoint was reported as /api/now/related_list_edit/create, allegedly configured with requires_authentication=false.
servicenow_vulnerable_endpoint_identifiersupply chain exposureCyber
Market relevance: Specific endpoint and misconfiguration detail supports underwriting diligence on insured instance configuration hygiene.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Indicators of compromise include API requests originating from IP address 51.159.98.241.
servicenow_indicator_of_compromise_published_ipincident responseCyber
Market relevance: Published IOC supports insured-side detection and forensic review under cyber incident-response coverage.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Attackers exploited an unauthenticated access flaw through the /api/now/related_list_edit/create endpoint, which was allegedly configured with requires_authentication=false.
vulnerable_api_endpointtechnical detailcyber
Market relevance: Specific endpoint and misconfiguration detail relevant to insured incident-response scoping and forensic timelines.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Indicators of compromise include API requests originating from IP address 51.159.98.241.
ioc_ip_addressioc releasecyber
Market relevance: IOC supports insured-side detection, threat hunting, and breach-coverage trigger validation.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Attackers reportedly exploited the API endpoint /api/now/related_list_edit/create, which was configured with requires_authentication=false, to query customer instance tables.
vulnerable_api_endpoint_and_misconfigurationvulnerability characterizationcyber
Market relevance: Technical detail of the vulnerability mechanism; supports underwriting assessment of exposure surface and patch scope.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Reporting cites IP address 51.159.98.241 as an indicator of compromise associated with API requests against the vulnerable endpoint.
indicator_of_compromise_publishedthreat intelligencecyber
Market relevance: Enables insureds and underwriters to perform network-level detection and forensic scoping; relevant to incident response coverage triggers.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
An indicator of compromise has been reported as API requests originating from IP address 51.159.98.241.
ioc_ip_address_51_159_98_241threat intelligencevalid from 9 Jun 2026, 22:21Cyber
Market relevance: Useful for insured organisations conducting log review and threat hunting; may inform incident-response coverage use
Indicators of compromise include API requests from IP address 51.159.98.241” — BleepingComputer · 10 Jun 2026, 02:09
If employee records or personal data were accessed across multiple insured entities, casualty lines with cyber-triggered liability components may face secondary notification and regulatory exposure.
casualty_books_secondary_exposurelob exposure pathwayvalid from 16 Jun 2026, 00:00Casualty
Market relevance: Casualty books with cyber-triggered liability components may see secondary exposure if personal data access is confirmed.
the lack of transparency limits assessment of potential insured impact across Cyber and Casualty lines” — techradar.com · 10 Jun 2026, 14:00 · mainstream media
The ServiceNow incident creates a potential technology errors and omissions exposure pathway for the vendor itself and, depending on contract terms, for downstream corporate users of the platform.
tech_claims_e_and_o_exposure_pathwaylob exposure pathwayvalid from 16 Jun 2026, 00:00Tech E&O
Market relevance: Tech E&O books may see indirect exposure depending on contractual liability allocation and vendor indemnities.
ServiceNow tells customers a bug left some of their data exposed to the internet” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
Given ServiceNow's broad enterprise SaaS footprint, multiple insured entities may be concurrently affected, creating aggregated supply-chain exposure across London cyber, tech E&O, and casualty lines.
supply_chain_aggregation_riskaccumulation riskvalid from 16 Jun 2026, 00:00Cyber
Market relevance: Aggregated exposure across multiple insureds elevates potential accumulation risk for syndicates with cyber and tech E&O books.
ServiceNow tells customers a bug left some of their data exposed to the internet” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
Attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances.” — r/SecOpsDaily · 9 Jun 2026, 22:05 · social community
The event is a supply-chain SaaS incident with potential aggregated exposure across London cyber and tech E&O portfolios for insureds using ServiceNow.
supply_chain_saas_aggregated_cyber_and_tech_eo_exposureaggregated supply chain exposureCyber
Market relevance: Aggregated supply-chain exposure across London cyber and tech E&O books serving large corporate insureds using ServiceNow.
techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
techradar.com · 10 Jun 2026, 14:00 · mainstream media
ServiceNow is a widely deployed enterprise SaaS platform used by large corporates likely insured across London cyber, tech E&O, and casualty books, creating potential aggregated supply-chain exposure on both first-party and third-party liability covers.
supply_chain_saas_aggregation_riskaggregation riskvalid from 15 Jun 2026, 03:41Cyber
Market relevance: Aggregated supply-chain exposure is the primary London market concern; severity remains medium absent confirmed mass exfiltration or ransomware activity.
a widely used enterprise cloud platform, potentially implicating cyber liability and data breach coverage for downstream corporate users” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
the company's enterprise SaaS footprint creates potential downstream exposure for many insureds” — techradar.com · 10 Jun 2026, 14:00 · mainstream media
Public reporting notes the event potentially implicates tech E&O and third-party liability coverage for downstream corporate users of the platform.
tech_eo_third_party_exposurethird party liabilityvalid from 10 Jun 2026, 16:19Tech E&O
Market relevance: Tech E&O may respond to third-party claims alleging vendor-side security failure.
potentially implicating cyber liability and data breach coverage for downstream corporate users” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
ServiceNow's wide enterprise deployment creates aggregated supply-chain exposure across London cyber, tech E&O, and casualty books, with potential first-party incident response and third-party liability notification activity for insureds running ServiceNow.
supply_chain_exposure_for_london_cyber_booksloss notification riskvalid from 10 Jun 2026, 00:00Cyber
Market relevance: Primary market implication: aggregated supply-chain exposure for London cyber and tech E&O underwriters serving ServiceNow customers.
This is a significant supply-chain/enterprise SaaS breach with potential aggregated exposure across multiple London market cyber and casualty books” — BleepingComputer · 9 Jun 2026, 21:34 · trade media

Uncertain18 lines

Exact number of affected customers and instances
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Duration of attacker access and extent of data exfiltration
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether a CVE will be published for the vulnerability
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Specific data categories that were accessed across affected instances
structured lineuncertain
No separate sourced-claim record is available for this line yet.
Whether a CVE will be published for the vulnerability is unconfirmed in public reporting.
cve_publication_unconfirmedvulnerability disclosure statusCyber
Market relevance: CVE publication status affects vulnerability management prioritisation across insured environments.
techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
The duration of attacker access and the extent of data exfiltration have not been publicly confirmed.
attacker_access_duration_uncertainuncertaintyvalid from 10 Jun 2026, 16:19Cyber
Market relevance: Access duration is a primary severity driver for cyber claims triage and reserves.
some of their data exposed to the internet” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
duration of attacker access ... remain unconfirmed” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Supersession history: 1 prior/revised claim rows.
The exact number of affected customers and instances has not been publicly confirmed.
affected_customer_count_uncertainuncertaintyvalid from 10 Jun 2026, 16:19Cyber
Market relevance: Unconfirmed scale limits ability to bound aggregated insured exposure.
some of their data exposed” — techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
number of affected customers ... remain unconfirmed” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Supersession history: 1 prior/revised claim rows.
The duration of attacker access and the extent of data exfiltration are unconfirmed in public reporting.
servicenow_attack_duration_unconfirmeddata exposureCyber
Market relevance: Access duration and exfiltration extent are key drivers of incident severity and potential claim quantum under cyber covers.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
The exact number of affected customers and instances is unconfirmed in public reporting.
servicenow_affected_customer_count_unconfirmedsupply chain exposureCyber
Market relevance: Customer count is a key driver of aggregated insured loss and notification cost; remains unconfirmed.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
Whether a CVE will be published for the vulnerability is unconfirmed.
servicenow_cve_publication_uncertainsupply chain exposureCyber
Market relevance: CVE publication drives insured patch obligations and potential policy conditions tied to known-vulnerability exclusions.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
The specific data categories that were actually accessed across affected instances are unconfirmed in public reporting.
servicenow_specific_data_categories_accessed_unconfirmeddata exposureCyber
Market relevance: Confirmation of accessed data categories drives notification, regulatory, and third-party liability severity for insureds.
BleepingComputer · 9 Jun 2026, 21:34 · trade media
The exact number of affected customers and instances, the duration of attacker access, the extent of data exfiltration, whether a CVE will be published, and the specific data categories accessed across affected instances remain unconfirmed.
scope_of_affected_customers_uncertainuncertainty flagcyber
Market relevance: Open scoping questions constrain loss-severity estimates; underwriters should treat the event as a watch item pending vendor disclosure updates.
techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
BleepingComputer · 9 Jun 2026, 21:34 · trade media
The exact number of affected customers and instances, the duration of attacker access, the extent of data exfiltration, and whether a CVE will be published remain unconfirmed.
affected_scope_uncertainexposure magnitude unknownvalid from 9 Jun 2026, 22:21Cyber
Market relevance: Aggregate exposure magnitude is a key driver of cyber and tech E&O loss potential across London market books
Exact number of affected customers and instances ... remain unconfirmed” — BleepingComputer · 10 Jun 2026, 02:09
ServiceNow has not publicly disclosed the number of affected customers or instances; vendor has declined to detail scope, per TechRadar reporting.
affected_customer_count_unknownscope uncertaintyvalid from 15 Jun 2026, 03:41Cyber
Market relevance: Material unknown constraining severity banding; insurer-side notification data is required to refine exposure assessment.
ServiceNow reveals security issue affecting customer data, but won't reveal much on what actually happened” — techradar.com · 10 Jun 2026, 14:00 · mainstream media
Supersession history: 1 prior/revised claim rows.
Duration of attacker access and extent of data exfiltration have not been publicly disclosed by ServiceNow.
access_duration_and_exfiltration_scope_unknowntimeline uncertaintyvalid from 15 Jun 2026, 03:41Cyber
Market relevance: Constrains insured-severity banding; longer access or confirmed mass exfiltration would materially elevate notification and loss costs.
ServiceNow reveals security issue affecting customer data, but won't reveal much on what actually happened” — techradar.com · 10 Jun 2026, 14:00 · mainstream media
Duration of attacker access and extent of data exfiltration” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Supersession history: 1 prior/revised claim rows.
The exact number of affected customers and instances remains unconfirmed in public reporting.
affected_customer_count_unconfirmedscope uncertaintyCyber
Market relevance: Unconfirmed scope limits portfolio-level loss estimation; treated as a key uncertainty.
techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
techradar.com · 10 Jun 2026, 14:00 · mainstream media
The duration of attacker access and the extent of data exfiltration remain unconfirmed in public reporting.
attacker_access_duration_and_exfiltration_scope_unconfirmedscope uncertaintyCyber
Market relevance: Unconfirmed access duration and exfiltration scope constrain severity banding; key uncertainty for portfolio exposure.
techcrunch.com · 10 Jun 2026, 16:00 · mainstream media
techradar.com · 10 Jun 2026, 14:00 · mainstream media
It is not publicly confirmed whether a CVE will be published for the unauthenticated API endpoint vulnerability.
cve_publication_uncertainvulnerability identificationvalid from 9 Jun 2026, 22:21Cyber
Market relevance: CVE assignment would formalize the vulnerability for insured patch-coverage and underwriting references.
Whether a CVE will be published for the vulnerability” — BleepingComputer · 9 Jun 2026, 21:34 · trade media
Supersession history: 1 prior/revised claim rows.

Geographic Zone Matches

3 active matches

  • TRIA Certified Areas
    Rule-basedConfidence 100%
  • Pacific Ring of Fire
    Rule-basedConfidence 100%
  • Caribbean Hurricane Zone
    Rule-basedConfidence 100%

Geographic zone matches are RiskEvents spatial/analytical indicators, not coverage determinations or Lloyd's official classifications.

Affected countries

🇺🇸 United States

Latest developments

  • Confirmed: ServiceNow disclosed exploitation of an unauthenticated API endpoint affecting customer instances. BleepingComputer
  • The vulnerable API endpoint has been publicly identified with associated misconfiguration. BleepingComputer
  • ServiceNow applied a security update to hosted instances on June 5, 2026, and is engaging affected customers via support cases. BleepingComputer
  • Exposure is concentrated on the Australia platform release and older releases with specific configuration changes. BleepingComputer
  • ServiceNow is notifying affected customers via support cases; reporting indicates all impacted organizations have been contacted. techcrunch.com
  • An IP address has been cited as an indicator of compromise associated with the exploitation activity. BleepingComputer
  • Potentially exposed data categories include support tickets, employee records, configuration data, and possibly credentials or API tokens. BleepingComputer
  • ServiceNow has not publicly disclosed the number of affected customers or instances. techradar.com

Timeline

Corroboration16 Jun 2026, 08:50

A zero-authentication API vulnerability in ServiceNow was exploited in a data breach, with the advisory reportedly gated and customers left unaware. ServiceNow is a widely used enterprise SaaS platform, making this a significant supply chain / enterprise application security incident with potential downstream impact on thousands of corporate customers globally.

Source: techtimes.com (Mainstream Media) · View source

Intelligence Refresh16 Jun 2026, 08:04
Corroboration16 Jun 2026, 00:00

ServiceNow has disclosed a security incident where attackers exploited an unauthenticated API endpoint to query data from customer instances. The incident affects ServiceNow's enterprise customer base globally, with potential data exposure across multiple organizations. This represents a supply chain-style data breach impacting a major enterprise SaaS platform used by many large corporations.

Source: r/SecOpsDaily (Social / Community) · View source

Status Change15 Jun 2026, 23:52

Status changed to developing

evidence_trigger: corroboration >= 2

signal -> developing

Corroboration15 Jun 2026, 23:52

ServiceNow has disclosed a security incident involving unauthorized access to some customer instances, with limited detail on what data was exposed. The company states all impacted organizations have been notified. This represents a potential data breach and supply chain exposure for ServiceNow's enterprise customer base.

Source: r/cybersecurity (Social / Community) · View source

Corroboration15 Jun 2026, 03:41

ServiceNow has revealed a security issue affecting customer data but has not disclosed specifics about the nature or scope of the incident. The lack of transparency limits assessment of potential insured impact across Cyber and Casualty lines, though the company's enterprise SaaS footprint creates potential downstream exposure for many insureds.

Source: techradar.com (Mainstream Media) · View source

Corroboration10 Jun 2026, 16:19

ServiceNow disclosed a bug that left some customer data exposed to the internet, prompting notifications to affected customers. The incident relates to a widely used enterprise cloud platform, potentially implicating cyber liability and data breach coverage for downstream corporate users.

Source: techcrunch.com (Mainstream Media) · View source

Intelligence Refresh10 Jun 2026, 02:09
Initial Detection9 Jun 2026, 22:21

Initial Detection

ServiceNow disclosed a security incident where attackers exploited an unauthenticated API endpoint flaw to query data from customer instances. The vulnerability primarily affected customers on the Australia platform release or those with specific configuration changes. This is a significant supply-chain/enterprise SaaS breach with potential aggregated exposure across multiple London market cyber and casualty books.

The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.

Source: BleepingComputer (Trade Media) · View source

Lloyd's classifications

Tracking this kind of risk? Get an email when Cyber events escalate.

Get alerts
← Back to live events