ShinyHunters Hits Ameriprise: 200GB SaaS Breach Lessons for SAMA Banks

Ameriprise Financial — a wealth manager overseeing roughly $1.17 trillion in assets — disclosed on April 28, 2026 that an intruder accessed stored data and files affecting nearly 48,000 individuals. Threat actor ShinyHunters has since claimed it exfiltrated more than 200GB of compressed SharePoint content alongside Salesforce customer records. For Saudi financial institutions operating under SAMA Cyber Security Framework controls, this is not a story about a distant US wirehouse — it is a near-perfect blueprint of the SaaS-centric attack pattern now rotating through the GCC.

Anatomy of the Ameriprise Incident

The intrusion timeline filed with the Maine Attorney General is uncomfortable reading for any CISO. Initial unauthorized access occurred on March 2, 2026. Detection followed only on March 18 — a 16-day dwell time during which the attacker reportedly enumerated SharePoint repositories and Salesforce objects holding client account records, addresses, and identifiers consistent with US Social Security numbers. Public disclosure came six weeks after detection, on April 28. ShinyHunters subsequently set a public ransom deadline and threatened to dump the 200GB trove on a leak forum, mirroring the playbook the group used against Snowflake-tenant victims in 2024 and the Salesforce campaign that swept through dozens of Fortune 500s in late 2025.

Why ShinyHunters Targets Financial SaaS Tenants

ShinyHunters is no longer the credential-stuffing crew it was in 2020. The current operation is an extortion-only outfit specializing in SaaS tenant compromise — Salesforce, Workday, Snowflake, and Microsoft 365 / SharePoint Online. The group rarely deploys ransomware. Instead it abuses OAuth grants, vishing of help-desk staff, and compromised third-party connector apps to exfiltrate structured customer data, then monetizes through name-and-shame extortion. For a bank or wealth manager, the impact is the same as ransomware without the encryption: regulatory disclosure, lawsuits, and a permanent dark-web copy of the customer book. The group's economics work because financial firms have moved CRM, document collaboration, and analytics to SaaS faster than they have moved their detection capabilities.

Impact on Saudi Financial Institutions

Saudi banks, insurers, and capital market institutions are deep into the same SaaS migration. Salesforce Financial Services Cloud, Microsoft 365 E5, ServiceNow, and Workday are now standard in the Riyadh and Eastern Province head-office stacks. Under SAMA CSCC subdomain 3.3.5 (Cloud Computing) and 3.3.13 (Cyber Security Event Management), regulated entities must maintain monitoring, logging, and incident response capability across these tenants — not only on-premises systems. The Personal Data Protection Law (PDPL) Article 20 imposes a 72-hour notification requirement to SDAIA when a breach of personal data is likely to harm data subjects, and the NCA Essential Cybersecurity Controls (ECC-2:2024) subdomain 2-15 requires equivalent third-party security assurance. A 16-day undetected dwell time inside a Salesforce or SharePoint tenant would breach all three frameworks simultaneously, and SAMA's enforcement posture in 2026 has moved from observation letters to material monetary penalties.

The Detection Gap That Enables These Attacks

Most Saudi banks have invested heavily in network detection and endpoint EDR — Microsoft Defender, CrowdStrike Falcon, SentinelOne — but their visibility into SaaS-native activity is shallow. SharePoint Online unusual-download patterns, Salesforce Data Loader API misuse, anomalous OAuth app consents, and impossible-travel logins for service accounts are typically not piped into the SOC. When they are, the rules are tuned for noise reduction, not for the slow-burn exfiltration ShinyHunters favors. The result is exactly what Ameriprise experienced: weeks of legitimate-looking API reads against a CRM, ending in a sudden bulk export to an attacker-controlled endpoint.

Recommended Actions for SAMA-Regulated Entities

1. Enable Microsoft Purview Insider Risk Management and Defender for Cloud Apps with SharePoint and OneDrive policies tuned for mass-download anomalies above 500 files or 5GB per session.
2. Deploy Salesforce Shield with Event Monitoring and stream Real-Time Event objects (ApiEvent, BulkApiResultEvent, ReportEvent) into the SOC SIEM for correlation against identity signals.
3. Inventory and block all third-party OAuth applications with offline_access or full-tenant scopes; require admin consent and a documented business case under NCA ECC subdomain 2-2-3.
4. Implement phishing-resistant MFA — FIDO2 / WebAuthn or certificate-based — for all privileged SaaS accounts, eliminating SMS and push-only options exploited in vishing-driven help-desk resets.
5. Run a tabletop exercise specifically modeled on the ShinyHunters extortion-only scenario, with legal, communications, SAMA reporting, and SDAIA PDPL notification workflows rehearsed against a 72-hour clock.
6. Update the Third-Party Risk Management register to flag every SaaS provider holding regulated personal or transactional data, mapping each to SAMA CSCC subdomain 3.3.14 and contractual breach-notification SLAs.
7. Validate that data loss prevention (DLP) policies inspect outbound SharePoint sharing links, Salesforce report exports, and Power Automate flows, not only email and endpoint channels.

Conclusion

The Ameriprise incident is the latest evidence that the financial-sector attack surface has moved decisively into the SaaS tenant — and that incumbent detection stacks have not kept up. For Saudi banks, the question is no longer whether ShinyHunters or a peer group will attempt the same playbook against a Riyadh-based wealth or insurance platform; it is whether a 16-day SharePoint exfiltration would be detected before it became a SAMA disclosure event. The control set required to close that gap is well-defined under CSCC, ECC, and PDPL — what is missing in most institutions is honest measurement of SaaS visibility against those expectations.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on SaaS detection and third-party risk readiness.