Cloud-based customer relationship management software giant Salesforce.com is warning some users of its Marketing Cloud that any data they stored may have been accessed by third parties or inadvertently corrupted because of an API error that ran from June 4 to July 18.
See Also: Matching Application Security to Business Needs
A copy of the alert from San Francisco-based Salesforce that was distributed by email around 6 p.m. on Thursday evening, U.S. Pacific Time, states that the error involved the company's REST application programming interface.
"During a Marketing Cloud release between June 4, 2018, and July 7, a code change was introduced that, in rare cases, could have caused REST API calls to retrieve or write data from one customer's account to another inadvertently," according to the alert, a copy of which was obtained by Information Security Media Group. "Where the issue occurred, the API call may have failed and generated an error message rather than writing or modifying data."
Salesforce says it cannot confirm or deny whether the error was used by anyone with malicious intent or whether anyone's data was corrupted either on purpose or inadvertently.
Bad news for Salesforce customers: The software-as-a-service giant says it does not know if data was inadvertently altered or maliciously tampered with. "While Salesforce continues to conduct additional quality checks and testing in relation to this issue, we recommend that you monitor and review your data carefully to ensure the accuracy of your account," according to its alert.
"We are unable to confirm if your data was viewed or modified by another customer. As a result, we are notifying all potentially impacted customers who accessed the Marketing Cloud during this period," it says.
In addition, Salesforce says that any organization whose users accessed its Marketing Cloud Email Studio or Predictive Intelligence products - either via the online user interface or REST API calls - may have had their Marketing Cloud data get corrupted.
Why Wasn't Salesforce Logging Activity?
Incident response expert David Stubley, who heads Edinburgh-based security testing firm and consultancy 7 Elements, says he's surprised that Salesforce cannot tell customers if their data was accessed by others or altered.
"In my opinion, this is below expectations," Stubley tells ISMG. "I am surprised that an organization of this size does not have effective monitoring or logging in place. I would be asking them: What are they going to put in place now?"
Did Salesforce Spot the Problem First?
Salesforce's advisory doesn't state how its security team identified or first heard about the problem. Salesforce didn't respond to multiple requests for comment.
Salesforce did say that it traced the problem to "a recent code change introduced during a Marketing Cloud release that modified the way REST API calls were processed in the Marketing Cloud" and that it was spotted on July 18.
"When the Salesforce Security team became aware of the issue on July 18, 2018, an emergency release (eRelease) was issued the same day to resolve the issue," it says.
The company then issued its email alert to potentially affected customers 15 days later.
But Stubley says he knows of some U.K.-based Salesforce customers who were warned about the problem via a call from their Salesforce account manager, a day prior to the email alert being distributed. "Were all clients advised by a phone call or just a selective set?" he says. "I can't see justification for a two-tier notification system, you should let all of your customers that are potentially impacted know [at the same time]."
What is Marketing Cloud?
Salesforce Marketing CloudTogether with sales and service offerings, Salesforce's marketing capabilities have long formed its core triumvirate of key products. The premise of the Marketing Cloud is that it allows Salesforce users to target their business-to-consumer and business-to-business customers using data they've already gathered and stored in their Salesforce CRM system.
"Market with trust and security," Salesforce says on its website. "Whether you have dozens or billions of customers, deliver your personalized messages securely when it matters most."
What's at Risk?
Salesforce's alert refers to three specific products or services:
Force.com API: An API, or application programming interface, allows two applications or services to communicate, including with Force.com, which is Salesforce's platform-as-a-service product. Force.com be accessed via HTTP using the Salesforce REST API. The service is used to build cloud-based apps as well as websites. Marketing Cloud Email Studio: This is a drag-and-drop tool designed for sending promotional, e-commerce, transactional and triggered emails. Marketing Cloud Predictive Intelligence: This product is pitched by Salesforce on its website as being a tool "that allows you to use your customers behavioral data to recommend products both on your website and through email communication."Salesforce Advice: 'Review Your Data'
It's not clear if the REST API problems may have exposed personally identifiable information for anyone in Europe.
In theory, Marketing Cloud would have access to Salesforce customers' customer and sales prospect contact details, as well as potentially demographic and other information used to "segment" customers for marketing purposes.
The Information Commissioner's Office, which enforces the U.K.'s privacy laws, didn't immediately respond to a request for comment about whether it was aware of the security alert and investigating. Under the EU's General Data Protection Regulation, organizations that expose European residents' PII must alert relevant authorities within 72 hours of learning about the potential incident (see Under GDPR, Data Breach Reports in UK Have Quadrupled).