Cloud Security , General Data Protection Regulation (GDPR) , Incident & Breach Response
Salesforce Security Alert: API Error Exposed Marketing DataMarketing Cloud Data Potentially Accessed or Corrupted Over 6-Week Period
Cloud-based customer relationship management software giant Salesforce.com is warning some users of its Marketing Cloud that any data they stored may have been accessed by third parties or inadvertently corrupted because of an API error that ran from June 4 to July 18.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
A copy of the alert from San Francisco-based Salesforce, which was distributed by email about 6 p.m. on Thursday evening, U.S. Pacific Time, states that the error involved the company's REST application programming interface.
"During a Marketing Cloud release between June 4, 2018, and July 7, a code change was introduced that, in rare cases, could have caused REST API calls to retrieve or write data from one customer's account to another inadvertently," according to the alert, a copy of which was obtained by Information Security Media Group. "Where the issue occurred, the API call may have failed and generated an error message rather than writing or modifying data."
Salesforce has since posted a knowledge article with a brief overview of the problem.
Bad news for Salesforce customers: The software-as-a-service giant says it does not know if data was inadvertently altered or maliciously tampered with, although says it's seen no evidence of the latter.
"We have no evidence of malicious behavior associated with this issue," a Salesforce spokesman tells ISMG.
But the security advisory stops short of saying definitively that such activity did not occur. "We are unable to confirm if your data was viewed or modified by another customer. As a result, we are notifying all potentially impacted customers who accessed the Marketing Cloud during this period," according to its alert.
"While Salesforce continues to conduct additional quality checks and testing in relation to this issue, we recommend that you monitor and review your data carefully to ensure the accuracy of your account," it says.
In addition, Salesforce says that any organization whose users accessed its Marketing Cloud Email Studio or Predictive Intelligence products - either via the online user interface or REST API calls - may have had their Marketing Cloud data get corrupted.
Why Wasn't Salesforce Logging Activity?
Incident response expert David Stubley, who heads Edinburgh-based security testing firm and consultancy 7 Elements, says he's surprised that Salesforce cannot tell customers if their data was accessed by others or altered.
"In my opinion, this is below expectations," Stubley tells ISMG. "I am surprised that an organization of this size does not have effective monitoring or logging in place. I would be asking them: What are they going to put in place now?"
Did Salesforce Spot the Problem First?
Salesforce's advisory doesn't state how its security team identified or first heard about the problem. Salesforce has yet to comment on that question to ISMG, as well as if it was logging API calls and if not, whether it plans now to do so.
The company did say that it traced the problem to "a recent code change introduced during a Marketing Cloud release that modified the way REST API calls were processed in the Marketing Cloud" and that it was spotted on July 18.
"When the Salesforce security team became aware of the issue on July 18, 2018, an emergency release (eRelease) was issued the same day to resolve the issue," it says.
The company then issued its email alert to potentially affected customers 15 days later.
But Stubley says he knows of some U.K.-based Salesforce customers who were warned about the problem via a call from their Salesforce account manager, a day prior to the email alert being distributed. "Were all clients advised by a phone call or just a selective set?" he says. "I can't see justification for a two-tier notification system, you should let all of your customers that are potentially impacted know [at the same time]."
What is Marketing Cloud?
Together with sales and service offerings, Salesforce's marketing capabilities have long formed its core triumvirate of key products. The premise of the Marketing Cloud is that it enables Salesforce users to target their business-to-consumer and business-to-business customers using data they've already gathered and stored in their Salesforce CRM system.
"Market with trust and security," Salesforce says on its website. "Whether you have dozens or billions of customers, deliver your personalized messages securely when it matters most."
What's at Risk?
Salesforce's alert refers to three specific products or services:
- REST API: An API, or application programming interface, allows two applications or services to communicate. The advisory says the problem occurred in the Force.com REST API and how it interacted with Marketing Cloud. While the REST API has Force.com - Salesforce's platform-as-a-service product - in its name, "Force.com is not impacted," a Salesforce spokesman says.
- Marketing Cloud Email Studio: This is a drag-and-drop tool designed for sending promotional, e-commerce, transactional and triggered emails.
- Marketing Cloud Predictive Intelligence: This product is pitched by Salesforce on its website as being a tool "that allows you to use your customers behavioral data to recommend products both on your website and through email communication."
Salesforce Advice: 'Review Your Data'
It's not clear if the REST API problems may have exposed personally identifiable information for anyone in Europe.
In theory, Marketing Cloud would have access to Salesforce customers' customer and sales prospect contact details, as well as potentially demographic and other information used to "segment" customers for marketing purposes.
The Information Commissioner's Office, which enforces the U.K.'s privacy laws, didn't immediately respond to a request for comment about whether it was aware of the security alert and investigating. Under the EU's General Data Protection Regulation, organizations that expose European residents' PII must alert relevant authorities within 72 hours of learning about the potential incident (see Under GDPR, Data Breach Reports in UK Have Quadrupled).
This story has been updated with comment from Salesforce.