Stolen Salesforce.com unencrypted external storage device
Technorati Tag: Security Breach
Date Reported:
2/7/08
Organization:
Salesforce.com
Contractor/Consultant/Branch:
None
Victims:
Current and former Salesforce.com employees
Number Affected:
Unknown*
*"Approximately 6 employees affected reside in New Hampshire." Salesforce.com is headquartered in San Francisco, California
Types of Data:
Names, Social Security numbers, and dates of birth
Breach Description:
An "unencrypted external storage device" was stolen from a vehicle that contained sensitive personal information belonging to current and former Salesforce.com employees.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We recently became aware of a theft of an unencrypted external storage device that may have resulted in the compromise of personal information of some current and former salesforce.com employees.
[Evan] An "unencrypted external storage device"? Wonderful! Is this whole encryption thing just a waste of time?
The potentially compromised personal information includes your name, Social Security number, and date of birth.
We are working with law enforcement authorities to recover the stolen device.
[Evan] I suppose recovery could happen, but I'm not holding my breath.
We take our obligation to safeguard your personal information very seriously, and are working to further enhance our data security practices to prevent this type of event from reoccurring.
[Evan] I see this same (or very similar) remark in almost all breach notifications. IF a company or organization REALLY does take their obligation seriously, then why don't they take the precautions necessary to demonstrate this obligation. In this case, prohibit the use of mobile media for confidential data storage. If the business case for mobile storage media is too great, then encrypt the information. Seems simple.
The personal information was not taken from the salesforce.com application, and no customer data was stored on the stolen device. This theft did not compromise our data centers or our customer security infrastructure in any way.
[Evan] I suppose this needed to be mentioned in order to save face and protect revenue, even though this is a notification letter to affected employees. If I were a victim, would I care?
The storage device was stolen from a vehicle along with several other items.
We believe this was a random criminal act, and we have no evidence that the information has been used to commit identity fraud. Nevertheless, to protect yourself, we encourage you to remain vigilant and take the precautions
To further assist you, we recommend that you register for credit monitoring, which we have arranged to provide you at no charge for twelve months.
I hope this information is useful to you. If you would like to speak with us, please email us at with your question and the best way to reach you.
We deeply regret any inconvenience that this event may cause you, and we will continue to monitor this situation closely.
[Evan] Does the inconvenience thrust upon the victims outweigh the inconvenience of protection?
Commentary:
How does this happen at a well-respected public software company like Salesforce.com? They had to have known that there are umpteen breaches reported monthly that involved similar circumstances. There is no mention of existing policy or procedure, so we can only assume. Sometimes what we assume is worse than reality.
Past Breaches:
Unknown
Date Reported:2/7/08
Organization:
Salesforce.com
Contractor/Consultant/Branch:
None
Victims:
Current and former Salesforce.com employees
Number Affected:
Unknown*
*"Approximately 6 employees affected reside in New Hampshire." Salesforce.com is headquartered in San Francisco, California
Types of Data:
Names, Social Security numbers, and dates of birth
Breach Description:
An "unencrypted external storage device" was stolen from a vehicle that contained sensitive personal information belonging to current and former Salesforce.com employees.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We recently became aware of a theft of an unencrypted external storage device that may have resulted in the compromise of personal information of some current and former salesforce.com employees.
[Evan] An "unencrypted external storage device"? Wonderful! Is this whole encryption thing just a waste of time?
The potentially compromised personal information includes your name, Social Security number, and date of birth.
We are working with law enforcement authorities to recover the stolen device.
[Evan] I suppose recovery could happen, but I'm not holding my breath.
We take our obligation to safeguard your personal information very seriously, and are working to further enhance our data security practices to prevent this type of event from reoccurring.
[Evan] I see this same (or very similar) remark in almost all breach notifications. IF a company or organization REALLY does take their obligation seriously, then why don't they take the precautions necessary to demonstrate this obligation. In this case, prohibit the use of mobile media for confidential data storage. If the business case for mobile storage media is too great, then encrypt the information. Seems simple.
The personal information was not taken from the salesforce.com application, and no customer data was stored on the stolen device. This theft did not compromise our data centers or our customer security infrastructure in any way.
[Evan] I suppose this needed to be mentioned in order to save face and protect revenue, even though this is a notification letter to affected employees. If I were a victim, would I care?
The storage device was stolen from a vehicle along with several other items.
We believe this was a random criminal act, and we have no evidence that the information has been used to commit identity fraud. Nevertheless, to protect yourself, we encourage you to remain vigilant and take the precautions
To further assist you, we recommend that you register for credit monitoring, which we have arranged to provide you at no charge for twelve months.
I hope this information is useful to you. If you would like to speak with us, please email us at with your question and the best way to reach you.
We deeply regret any inconvenience that this event may cause you, and we will continue to monitor this situation closely.
[Evan] Does the inconvenience thrust upon the victims outweigh the inconvenience of protection?
Commentary:
How does this happen at a well-respected public software company like Salesforce.com? They had to have known that there are umpteen breaches reported monthly that involved similar circumstances. There is no mention of existing policy or procedure, so we can only assume. Sometimes what we assume is worse than reality.
Past Breaches:
Unknown
Posts Atom 1.0
OMG!! Why isn't Salesforce.com employees practicing what they breach? Why do they have client data on laptops? Why aren’t they using Salesforce.com wireless to connect to salesforce.com online servers instead?
How come only Salesforce.com has security leaks and data stolen and downed servers, and none of their competitors such as Netsuite, Salesboom.com, RightNow, etc go through the same stuff!
Reply to this
I'm not sure if they have client data on laptops or not. This breach concerned confidential employee information on a "stolen device", which I suspect was a thumb/flash drive. Either way, not a good situation or practice.
Thanks for reading!
Reply to this