A misconfiguration in Salesforce Community settings has led a large number of organizations—including those in regulated industries—to leak private information.
Why It Matters: Cybersecurity threats don’t always come from outside an organization. Reusing generic permission settings can lead to overexposed data and a higher potential for accidentally exposing protected information.
- Unapproved users can access records because of the misconfiguration.
- Protected data like contact information, social security numbers, and personal information have all become compromised as a result of this scenario.
- Automated scanners are available to verify proper settings and avoid a costly outcome like this.
Here are 4 things you need to know about the Salesforce Community leaks:
1. What Is Salesforce Community?
Salesforce is the leading CRM tool, relied on by around 150,000 users. Salesforce offers a series of products that address many IT needs. One of these software products is a cloud-based program that helps users create new websites on the fly.
There are two ways a user can leverage Salesforce Community to create a website. The first option requires users to create an account and log in, while the other way allows unauthenticated users to view certain resources as a guest—without the need to log in.
This second option was utilized in these leaks, which allowed guest users to access protected information.
2. How Was Sensitive Data Leaked?
The pandemic forced a lot of organizations to quickly expand their online capabilities. A rushed digital transformation led to an expediting of processes that might otherwise have been subjected to greater scrutiny.
“The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in,” said a spokesperson from KrebsOnSecurity, which broke the story.
During COVID, organizations needed to quickly spin up new websites that provided services otherwise offered in person. The standard security review processes were eschewed to prioritize speed. This led to the vulnerabilities that eventually resulted in the exposure of sensitive data.
User access is a major point of contention for Salesforce users. The profiles and permission sets assigned to each team member dictate which sets of data they are able to access, edit, and delete. In this case, guest users were accidentally granted access to more information than was appropriate.
3. Who Was Impacted?
This vulnerability is not unique to one industry. Rather, anyone who sets up Salesforce Community websites without properly configuring the security settings has the potential to expose sensitive information.
Here are a few of the major organizations that experienced data exposure as a result of this vulnerability:
- State of Vermont
- TCF Bank
- Washington DC Health
This is not an exhaustive list of the affected organizations. There are many more examples of companies using Salesforce Community websites without applying proper permission settings.
Financial companies, government organizations, regulated industries—organizations subject to additional data security regulations—leave themselves open to falling out of compliance through actions such as this. Fines, penalties, and loss of consumer confidence are all potential outcomes when companies fail to properly protect sensitive data.
4. How Can This Be Prevented?
Many of these websites were created in a rush. Taking the pandemic into account, it’s understandable that organizations needed to prioritize the initial setup of these websites.
However, it’s essential to take adequate data security precautions to avoid exposing sensitive data entrusted to you.
Using an automated tool is highly recommended to guarantee proper permissions and profile settings in a Salesforce environment. OrgScan can be set to automatically find and flag settings that have the potential to expose sensitive records. This is critical for organizations in regulated industries to avoid data leaks and remain compliant with applicable regulations.
The data leaks that resulted from faulty settings on hastily created Salesforce Community websites could have been prevented. Careful attention during early stages of setup and the utilization of an automated policy scanning tool could have saved hours of additional work and protected countless instances of personal identifiable information (PII).