Marketing Customers informed of Data Leakage SNAFU by Salesforce
The customers affected by the Data Leakage SNAFU include Aldo, Dunkin Donuts, GE, HauteLook, Nestle Waters, News Corp Australia and Sony.
Cloud behemoth Salesforce.com is warning customers about an API error that may have leaked data for some users of its Marketing Cloud offering.
According to an alert that Salesforce.com sent out to customers Thursday, it read that the issue was in play between June 4 – July 18, the issue potentially affected users of two modules within the broader Marketing Cloud offering: The Email Studio and Predictive Intelligence products.
The notice, first obtained by BankInfoSecurity and confirmed as authentic by Threatpost, described a code change that was introduced when Salesforce.com released an update to Marketing Cloud; the change resulted in incorrectly implemented REST API calls.
“In rare cases… REST API calls [could] retrieve or write data from one customer’s account to another inadvertently,” according to the alert. “Where the issue occurred, the API call may have failed and generated an error message rather than writing or modifying data.”
In addition, some customers may have had their data corrupted – which is less of a privacy problem and more of a business challenge.
Marketing Cloud is a collection of platforms that allow customers to create personalized marketing campaigns across a variety of channels, ranging from traditional ads to social media to connected things. For instance, digital coolers in a grocery store can capture shoppers’ demographic data and use that information to display customized content and a call to action on an embedded touchscreen. That content might take the form of coupons, or an exhortation to go online for deals and information. Marketing Cloud powers the data collection and Big Data analysis required to follow a given shopper through this “journey,” as Salesforce calls it, and manages the increasingly personalized interactions that a company might have with that shopper, in an automated way.
In other words, Marketing Cloud handles plenty of sensitive information – collected on behalf of customers that Salesforce said “range from business-to-business and nonprofits to some of the largest business-to-consumer companies in the world,” according to its website. These include organizations like Aldo, Dunkin Donuts, GE, HauteLook, Nestle Waters, News Corp Australia and Sony, the company said.
It remains unknown if any of these giants and their customers’ data were impacted; in the alert, Salesforce said that it doesn’t know if or how often data leakage occurred. However, since the issue impacts a subset of the platform, the scale of the issue is presumably somewhat mitigated.
“We are unable to confirm if your data was viewed or modified by another customer,” Salesforce explained in its alert, noting that it was notifying all customers just to be on the safe side. “While Salesforce continues to conduct additional quality checks and testing in relation to this issue, we recommend that you monitor and review your data carefully to ensure the accuracy of your account.”
The company said in its official notice that it spotted the problem on July 18, meaning it waited more than two weeks to alert its customer base.
This post was originally published on blacklakesecurity.com and it reads that “When the Salesforce security team became aware of the issue on July 18, 2018, an emergency release was issued the same day to resolve the issue,” the alert said.
Julia Sowells547 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.