Tag Archives: Salesforce.com

The Insecurity of Email

While everyone has heard about the DNC and DNCC hacks and the hack of the Hillary Clinton campaign emails, there was another recent email hack – at Salesforce.com .

The attack was not to obtain credit cards, nor was it to steal customer lists or the sales forecast.

This time the hacker wanted to know what the board was up to.  Like most boards in the country, Salesforce’s board communicated via email.

In this case, the board member who’s email was hacked was none other than Colin Powell.

What we do know about what was in those emails was a board presentation.  The presentation was about acquisition targets – Linkedin (code name Burgundy); Service Now (code name Sonoma); Tableau (code name Tuscany) and Demandware (code name Champagne).  Salesforce bid on LinkedIn but lost to Microsoft.

Also in the presentation was a list of potential competitors: HP, IBM, Oracle, Apple, Facebook and others.

In this case, perhaps, the revelation of the board presentation wasn’t fatal to Salesforce, LinkedIn or Microsoft, but consider this.

What if the attacker used the information to play the market?  Or sell it to change the market?  Unlike with the attack against Dyn last week, if someone did that, people could still get to Twitter, so the world is still good.

But someone could get rich.  They could sell that information many times and not personally do insider trading.  That would make it much harder to trace back to the hacker.  The hacker might not even be in the U.S.

But ponder this.

What ELSE was in Colin Powell’s email?

Likely, his email was not limited to one board presentation.  Or even his board work for one company.

He is or was on the board of Revolution Health, the Council on Foreign Relations and, of course, Salesforce.

He probably also advises other companies on a wide variety of matters.

Likely all in the hands of a hacker.

Nowadays, people use email as a filing cabinet.  Powell’s email may go back years or possibly, even decades.

What other interesting stuff might be in there?

Because people value convenience over security, those years of email are all stored on some ISP’s server.  Get Powell’s password, log on from anywhere in the world and J.A.C.K.P.O.T.!

There are many ways to make things much more secure such as end to end email encryption.  Break into the ISP and what you get is a bunch of gibberish.   Combine that with two factor authentication and things are definitely harder for the hacker.  But not as convenient for you.

If you are in a position where you are a party to sensitive, confidential information, you should rethink the idea of traditional email as a communication vehicle.

But understand that things may be somewhat less convenient.

Security.  Convenience.  Be the next Colin Powell.  Your choice.

Information for this post came from The Street.