What You Need to Know


The Gist

  • A misconfiguration. Salesforce misconfiguration exposes private data across multiple sites, including government agencies, healthcare institutions and banks.
  • Potential risk. Over 150,000 companies relying on Salesforce are potentially at risk due to this data exposure.
  • Guest policy problem. The issue is not a vulnerability, but a misconfiguration issue that administrators make when setting up guest policies.

Gather ’round for a shocking tale of customer data security, or rather, the lack thereof! Is Salesforce, the powerhouse CRM platform you know and love, spilling your precious customer data like a fumbling waiter with a tray full of drinks? The debacle is unfolding at an alarming pace, potentially making your private data more public than a viral cat video.

Data security should be top of mind for all enterprise business leaders as the amount and types of data we hoover up continually grows. And yet the lesson of data security has reared its ugly head once again. It seems that many public Salesforce sites are now inadvertently revealing private data, and you won’t believe the impact it’s having. In the latest bombshell from KrebsOnSecurity, it has been revealed that a misconfiguration in the Salesforce platform is compromising private customer data across multiple sites. These organizations include government agencies, healthcare institutions and banks and in many cases exposed names addresses and social security numbers.

It seems that we’re playing catch-up in this ever-evolving game of cat and mouse. With more than 150,000 companies relying on Salesforce, this vulnerability has created a potential avalanche of data exposures, putting sensitive customer information at risk.

Related Article: Examining the Current State of Consumer Data Privacy Legislation

What Went Wrong

So, how did this happen? Salesforce’s public-facing sites are intended for marketing and customer relationship management (CRM) purposes. According to a statement from Salesforce, these data exposures are not the result of a vulnerability but instead are, what appears to be, a misconfiguration issue that administrators make when setting up guest policies. Krebs is on the same page, it appears, writing, “The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in.”

Learning Opportunities


Source link