Salesforce Says It Won't Pay Extortion Demand in 1 Billion Records Breach (arstechnica.com) 28
Salesforce says it's refusing to pay an extortion demand made by a crime syndicate that claims to have stolen roughly 1 billion records from dozens of Salesforce customers. From a report: The threat group making the demands began their campaign in May, when they made voice calls to organizations storing data on the Salesforce platform, Google-owned Mandiant said in June. The English-speaking callers would provide a pretense that necessitated the target connect an attacker-controlled app to their Salesforce portal. Amazingly -- but not surprisingly -- many of the people who received the calls complied.
[...] Earlier this month, the group created a website that named Toyota, FedEx, and 37 other Salesforce customers whose data was stolen in the campaign. In all, the number of records recovered, Scattered LAPSUS$ Hunters claimed, was "989.45m/~1B+." The site called on Salesforce to begin negotiations for a ransom amount "or all your customers [sic] data will be leaked." The site went on to say: "Nobody else will have to pay us, if you pay, Salesforce, Inc." The site said the deadline for payment was Friday.
[...] Earlier this month, the group created a website that named Toyota, FedEx, and 37 other Salesforce customers whose data was stolen in the campaign. In all, the number of records recovered, Scattered LAPSUS$ Hunters claimed, was "989.45m/~1B+." The site called on Salesforce to begin negotiations for a ransom amount "or all your customers [sic] data will be leaked." The site went on to say: "Nobody else will have to pay us, if you pay, Salesforce, Inc." The site said the deadline for payment was Friday.
Why are the bad guys winning? (Score:2)
Kind of a sincere question they I admit that I have a lot of theories about the answers...
Tease my biggest? Inability of the police to understand what's going on? Or maybe something about innovator's advantage to the crooks?
Related reading: How about Nexus by Harari?
Re: (Score:2)
*sigh*
FP haste makes waste.
s/they I admit/though I admit/
Re:Why are the bad guys winning? (Score:5, Insightful)
Re: (Score:3)
There it is.
Re: (Score:2)
Exactly, self host if you don't want to be part of that risk.
Re: (Score:2)
But when your front door is accessed by anyone with a computer half a world away, there will be aggressive knocking... All day every day.
Re: (Score:3)
It's multivariate of course but I think you bring up two important points, the criminals absolutely have an advantage.
Another one is the general difficulty in enforcing laws across international borders particularly when you have some major countries where this type of think is practically (and many times) state sponsored (Russia, China, N. Korea) and many where there's thriving black markets and it's effectively allowed and part of their economy.
Also the fact that it works means there are just more and mor
Re: (Score:2)
We all inherently understand this with children, animals and adults: if a bad action is done and there are no consequences how will anyone learn that it's bad at all and not continue doing it?
Big deal (Score:5, Funny)
stolen roughly 1 billion records
Based on the complexity of most Salesforce installations I've seen, the thieves should be paying Salesforce to help them interpret the garbage they've downloaded, not the other way around...
Re: (Score:1)
Re: (Score:2)
stolen roughly 1 billion records
Based on the complexity of most Salesforce installations I've seen, the thieves should be paying Salesforce to help them interpret the garbage they've downloaded, not the other way around...
It's likely the truth is they only have reasonably complete and valid records for about 20 million people. The rest are duplicates, incomplete, or inaccurate.
I don't see where Salesforce is at fault here (Score:3, Interesting)
I don't see where Salesforce is at fault here.
"The English-speaking callers would provide a pretense that necessitated the target connect an attacker-controlled app to their Salesforce portal. Amazingly -- but not surprisingly -- many of the people who received the calls complied."
Sounds like end-user stupidity.
If I am storing my data on your server and I send you commands to download that data, that's the normal course of what you do for me.
If you're dumb enough to let hackers into your system to download your data "in your name", then that's on you.
Based on what I read here, Salesforce is on the side of the angels here.
Re:I don't see where Salesforce is at fault here (Score:5, Funny)
I don't see where Salesforce is at fault here.
They're not.
Sounds like end-user stupidity.
It was.
Based on what I read here, Salesforce is on the side of the angels here.
Whoa, there.
On the side of the slower-growing cancers, for sure. Angels? No, sir.
Re: (Score:2)
It's much easier to try to get money out of a single company (Salesforce) than from the multiple customers. Salesforce has far far deeper pockets.
While it's not Salesforce's fault, they certainly fear losing the customers and the loss revenue that'd mean. But also it's the general optics. Most people aren't going to read the entire article. They just see the headline that Salesforce refuses to pay the ransom for 1 billion customer records, and they assume Salesforce allowed hackers to get that data. Those h
Re: (Score:2)
While it's not Salesforce's fault, they certainly fear losing the customers
No, that might be a reasonable inference if they were paying the ransom, but they actually are refusing to pay it.
So they probably do not fear losing the customers.
They're not selling a product people buy on a whim, and large customers have limited options. If another company is offering similar services, they'll have the exact same exposure; if they're allowed to connect apps to their service, then it is up to them not to let their own employees connect malicious apps. If they didn't need to connect apps t
Re: (Score:2)
Never used salesforce stuff before.
With that said, wouldn't you need some sort of admin access to do such things? Does the average user in a large org have such access?
Amazingly -- but not surprisingly (Score:2)
You can't claim to be amazed by something that isn't surprising.
Re: (Score:2)
It can be amazing when a Magician does a trick, but you shouldn't be surprised that a Magician is doing tricks.
Re: (Score:2)
Some of the more extreme cyberattacks are each amazing in their scope, but not surprising considering the frequency of such attacks.
Why do we allow this? (Score:2)
Normally, I'm one to let businesses decide what's best for them. But it's obvious here that paying just reinforces that this is a great business model for the pirates. So I'm gonna step outside of my comfort zone.
Paying the pirates should be forbidden by law, simply as a national security interest in protecting all the other companies in the United States. You other countries can pass your own law. If a company is caught paying, the corporate veil should be pierced and the executive ordering the payment
Re: (Score:2)
Where do you draw the line between suppliers increasing prices and ransom-ware?
Re: (Score:3)
If major corporations like Toyota, FedEx, and 37 other customers got hacked, that is a deficiency in the design of Salesforce.
They are large companies, but TransUnion was the only financial services or healthcare company I noticed in the list of companies breached. Most companies outside of those sectors do a horrible job with security. I work at a healthcare company with 15 Salesforce orgs, and we would have been well protected from this even if an admin was tricked. And we have 3 tiers of admins with only the top tier having enough permissions to do what was necessary for this hack, and it's very unlikely that our most well trai
Re: (Score:2)
How would such limits help? The typical worker who uses SalesForce actually *does* need access to large swaths of data. No company can manage security to the degree that employees have to ask permission separately for each and every item they access. You'd have to have a security team bigger than the employee count of all other employees!