According to SF Gate, Salesforce have been taken to court 14 times already this September, with the recent wave of cyber attacks encouraging impacted customers to file lawsuits against the CRM giant.
Allianz Life Insurance, Farmers Insurance, Pandora, TransUnion, and Workday are mentioned as some of the co-defendants involved, with 23 plaintiffs reportedly being named.
Why Have They Been Sued?
Over the last few months, several Salesforce instances have been compromised by hacking groups that use social engineering tactics – such as voice phishing (vishing) – to trick employees into downloading malicious third-party apps. Victims were then walked through granting the hackers organizational access. From here, the infiltrators were able to capture reams of sensitive company data, both internal and external.
Besides the aforementioned, many other large-scale companies have also been hit, including Google, Chanel, and Jaguar Land Rover. This recently sparked an official FLASH alert warning from the FBI, which details some technical clues organizations may need to spot if these attackers are inside their Salesforce environment.
The attackers have been linked to well-known groups, including ‘ShinyHunters’, which Google’s Threat Intelligence Group (GTIG) also tracks under the name UNC6040. Others, such as Scattered Spider, have been mentioned in connection with similar campaigns, suggesting a loose network of financially motivated crews rather than a single actor.
When reporting on this, we’ve long stressed that Salesforce themselves have not been compromised, nor are they really at fault for these attacks.
However, many of the impacted companies feel differently, and the filing reportedly argues that Salesforce should have better secured its platform.
Amber Schubert, a lawyer on a few of the complaints, told SFGATE on Wednesday:
“Salesforce is the hub connecting these attacks.
“It failed to secure its system and didn’t detect and block a malicious app on its platform, exposing the data of millions of Americans to cybercriminals.”
Details are still emerging about the lawsuits, and it’s likely more information will surface in the coming days.
We have reached out to Salesforce for comment.
Are Salesforce at Fault?
In this case in particular, it’s all going to come down to how they litigate this statement: “It failed to secure its system and didn’t detect and block a malicious app on its platform, exposing the data of millions of Americans to cybercriminals.”
The lawyer characterizes this as if there was an “app” which most people think of as something installed on their platform (like a phone app would be). But the “connected app” feature – which is at the heart of this – is not what most lay people would consider an app. It’s just the name for the security and authorization configurations that allow an external tool or application to be authorized to access Salesforce using an identity technology like OAuth 2.0.
Salesforce did leave open a potential avenue for misuse under certain circumstances through the OAuth 2.0 device flow, which they retired about a month ago.
In a recent blog post, the company outlined how they’ve “hardened” their OAuth approach, which is a move that demonstrates proactive security improvements, but one that plaintiffs may seek to frame as evidence that Salesforce had left a gap unaddressed for too long.
Final Thoughts
When it comes to whether this is really Salesforce’s fault, one Redditor summed it up perfectly: “You don’t sue a door or lock manufacturer when you leave your front door open and unlocked and come home to find your house ransacked.”
While emotions understandably run high after a breach, the legal case against Salesforce may be on shaky ground. The company can likely demonstrate that it provided the necessary safeguards, documentation, and warnings, placing the responsibility back on customers to manage access and monitor third-party apps.
How the lawsuit ultimately plays out will be worth watching, but early indications suggest the burden of proof will be difficult to meet.
