According to The Register, “Salesforce.com (SFDC) has been caught with its pants down after phishers persuaded an employee to hand over customer contact details.”
That SFDC customers have been specifically targeted should not come as a surprise. The SaaS and PaaS models mean that more and more sensitive data and applications which manage that data are being built on the SFDC platform. It’s an attractive and very large, high-profile target.
Apparently, one of their own employees fell for a phishing scam which resulted in compromised authentication credentials. A commentator on Bruce Schneier’s blog suggests that the employee might have “sold his login information to the phishers.”
SFDC themselves have issued an email to their customers stating that the intrusion did not “stem from a security flaw in our application or database.” While this might be true, what their system didn’t do was detect the unauthorised access, nor ensure that access to confidential data requires two-factor authentication (2FA) – or indeed anything stronger than a username and password.
Regardless, SFDC should be respected for quickly reaching out to customers with positive messages and sound advice, such as to modify “your Salesforce implementation to activate IP range restrictions.”
This also stands to reinforce the importance of security awareness messages as a mitigating control against data compromise. We’ve got to work harder and spend a greater proportion of our resources on education. Perhaps we should start to make employees personally accountable as being neglegent if they are tricked into revealing data that results in a compromise? Surely, it’s as bad as a developer writing vulnerable code or a network technician opening the wrong port on the firewall. All three scenarios are likely to result in the same outcome so why don’t we address each of them with the same effort?