[BreachExchange] Salesforce.com Warns Marketing Customers of Data Leakage SNAFU

Destry Winant destry at riskbasedsecurity.com
Mon Aug 6 04:25:29 EDT 2018


https://threatpost.com/salesforce-com-warns-marketing-customers-of-data-leakage-snafu/134703/

Potentially impacted customers include organizations like Aldo, Dunkin
Donuts, GE, HauteLook, Nestle Waters, News Corp Australia and Sony.

Cloud behemoth Salesforce.com is warning customers about an API error
that may have leaked data for some users of its Marketing Cloud
offering.

The issue was in play between June 4 to July 18, according to an alert
that Salesforce.com sent out to customers Thursday. The issue
potentially affected users of two modules within the broader Marketing
Cloud offering: The Email Studio and Predictive Intelligence products.

The notice, first obtained by BankInfoSecurity and confirmed as
authentic by Threatpost, described a code change that was introduced
when Salesforce.com released an update to Marketing Cloud; the change
resulted in incorrectly implemented REST API calls.

“In rare cases… REST API calls [could] retrieve or write data from one
customer’s account to another inadvertently,” according to the alert.
“Where the issue occurred, the API call may have failed and generated
an error message rather than writing or modifying data.”

In addition, some customers may have had their data corrupted – which
is less of a privacy problem and more of a business challenge.

Marketing Cloud is a collection of platforms that allow customers to
create personalized marketing campaigns across a variety of channels,
ranging from traditional ads to social media to connected things. For
instance, digital coolers in a grocery store can capture shoppers’
demographic data and use that information to display customized
content and a call to action on an embedded touchscreen. That content
might take the form of coupons, or an exhortation to go online for
deals and information. Marketing Cloud powers the data collection and
Big Data analysis required to follow a given shopper through this
“journey,” as Salesforce calls it, and manages the increasingly
personalized interactions that a company might have with that shopper,
in an automated way.

In other words, Marketing Cloud handles plenty of sensitive
information – collected on behalf of customers that Salesforce said
“range from business-to-business and nonprofits to some of the largest
business-to-consumer companies in the world,” according to its
website. These include organizations like Aldo, Dunkin Donuts, GE,
HauteLook, Nestle Waters, News Corp Australia and Sony, the company
said.

It remains unknown if any of these giants and their customers’ data
were impacted; in the alert, Salesforce said that it doesn’t know if
or how often data leakage occurred. However, since the issue impacts a
subset of the platform, the scale of the issue is presumably somewhat
mitigated.

“We are unable to confirm if your data was viewed or modified by
another customer,” Salesforce explained in its alert, noting that it
was notifying all customers just to be on the safe side. “While
Salesforce continues to conduct additional quality checks and testing
in relation to this issue, we recommend that you monitor and review
your data carefully to ensure the accuracy of your account.”

The company said in its official notice that it spotted the problem on
July 18, meaning it waited more than two weeks to alert its customer
base.

“When the Salesforce security team became aware of the issue on July
18, 2018, an emergency release (eRelease) was issued the same day to
resolve the issue,” the alert said.


More information about the BreachExchange mailing list