What happens when Salesforce software is misconﬁgured.
Why ICANN was vulnerable to attack
ICANN’s Salesforce environment which was storing customer data, was misconﬁgured. Since the data
breaches occurring were not instantly obvious to ICANN’s security team, their data continued to be
repeatedly exposed for nearly a year. While ICANN’s data breaches stemmed from a security issues with
their Salesforce’s advanced search feature, there are endless other potential openings for any company
where data can be exposed.
Salesforce ‘out-of-the-box,’ is a secure platform which can be trusted to store data in the cloud.
However, once a company starts customizing their Salesforce and adding custom code or third-party
extensions, they open themselves up to attack. This is because Salesforce’s security promise only covers
the variables they can control. Software misconﬁgured by outside, uninformed developers and/or
administrators is the customer’s responsibility.
Ignorance is Not Bliss
In many cases, companies do not realize their joint security responsibility with Salesforce until it’s too
late. Take the Internet Corporation for Assigned Names and Numbers (ICANN) for example. This large,
non-proﬁt organization utilizes Salesforce to help them ensure the Internet’s network is stable and
secure for people using it around the world. In other words, ICANN relies on Salesforce to help it
maintain the backbone of the Internet. On April 30, 2015, ICANN regretfully announced its Salesforce
data had been exposed 330 times over the span of 11 months.
ICANN’s Salesforce admins - didn’t detect the breach
ICANN’s security experts - didn’t detect the breach
ICANN’s developers - didn’t detect the breach
ICANN’s data not secured
for 11 monthes