Network News

X My Profile
View More Activity Acknowledges Data Loss

Business software provider acknowledged that a recent spate of targeted e-mail virus and phishing attacks against its customers resulted from one of its own employees falling for a phishing scam and turning over the keys to the company's customer database.

On Oct. 19, Security Fix reported that payroll giant Automatic Data Processing (ADP) and several banks -- including Suntrust -- were among a number of institutions that were victimized by a series of highly-targeted phishing scams that addresses recipients by name and asked them to click on a link - which tried to download password-stealing malicious software. A Suntrust executive alleged that the scammers obtained their list of Suntrust customers via a data compromise at

A executive would not answer direct questions about the incident at the time. data also was implicated in a pair of targeted malware attacks that appeared to have been sent from the Federal Trade Commission, an attack that installed password-stealing software on PCs of more than 500 victims.

Now, in an e-mail sent Monday to nearly a million customers, is finally owning up to a data loss.

"We learned that a employee had been the victim of a phishing scam that allowed a customer contact list to be copied," the company wrote. "Information in the contact list included first and last names, company names, email addresses, telephone numbers of customers, and related administrative data belonging to

As a result of this, a small number of our customers began receiving bogus emails that looked like invoices, but were not--they were also phishes. Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher."

However, a few days ago a new wave of phishing attempts that included attached malware--software that secretly installs viruses or key loggers--appeared and seemed to be targeted at a broader group of customers."

Update, 1:05 p.m. ET:Included a link to the letter sent by to its customers.

By Brian Krebs  |  November 6, 2007; 11:34 AM ET
Categories:  Fraud , From the Bunker , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: New QuickTime Version Plugs 7 Security Holes
Next: Russian Business Network: Down, But Not Out



Posted by: Hmmm | November 6, 2007 11:49 AM | Report abuse

Those of you who are now considering moving away from Salesforce as a result of this incident might consider Netsuite (, if you are big firm, or Heap CRM ( if you are a small one. I've used both at two different firms, their both very good.

Posted by: Doug Cartlin | November 6, 2007 6:48 PM | Report abuse

This just goes on to reinforce the fact that security breaches can occur just about anywhere, specially if your data is with someone else. On premise solutions are definitely worth considering.
A good system to consider for mid market companies would be Soffront CRM (

Posted by: Mark Smith | November 6, 2007 7:32 PM | Report abuse

Someone should hold SDC liable for this. It is absolutely ridiculous that they allow these sorts of breaches and suffer no consequence.

Just download SugarCRM and run your own.

Posted by: John A | November 6, 2007 7:50 PM | Report abuse

simply awesome

Posted by: regular joe | November 6, 2007 7:54 PM | Report abuse

This is why "hosted" solutions like this are such a problem. Have someone actually take a look at the TOS. They're not liable for ANYTHING.

Someone breaks in. They're not liable.

Their service dies and your data is trashed. They're not liable.

They decide to copy your data and sell it off as a "list". They're not liable. In fact, due to the TOS you agreed to, they have the RIGHT to do this!

Better still, the way they run their service tiering. You have certain limits on your account. If, during a given month, you accidentally exceed that (big promo, etc), you AUTOMATICALLY get bumped up to the next most expensive service tier WITH NO WAY TO MIGRATE BACK DOWN.

And the best of ALL the goodness? If you decide you want to migrate OFF their "service"? Guess what! They're under no obligation to return your data to you in any kind of migrate-able (or even USABLE format).

Oh, and remember what I said about them selling YOUR data? I'm sure you can guess what happens with the stuff in your account...

Don't belive me. Read it FOR YOURSELF!

If you want to do this stuff safe. If you want to do this stuff secure. If you want to do this stuff RIGHT? DO IT YOURSELF.

Sure, the "up front" cost is a bit more. But something like Act!, Sage, Goldmine, etc will ammortize out in a year or two. And more, you'll have greater depth of functionality than you would with SF.

PLUS, you won't have to worry about some third-party hack-job like getting cracked.

And don't let anybody lie to you. These programs are NOT difficult to master, nor to customize. Yes, SOME help is needed to get you educated. But beyond that?

Posted by: CEBjr | November 6, 2007 9:13 PM | Report abuse

Another alternative to is XL Group, Inc. (

Posted by: Chris | November 7, 2007 9:20 AM | Report abuse

hands down best solution is oracle's CRM on demand....check it out

Posted by: robb | November 7, 2007 10:55 AM | Report abuse

If you're stupid enough to still be using Windoze you deserve what you get.

Posted by: Anonymous | November 7, 2007 11:15 AM | Report abuse

If you're stupid enough to still be running Windoze you deserve what you get.

Posted by: Anonymous | November 7, 2007 11:17 AM | Report abuse

Hey Windoze jackalope, you realize that this is a WebApp right? It has nothing to do with Windows. Additionally, anyone can get suckered by phishing, on any platform, using just about any e-mail client. It's all about user education, not your OS. Geez fanbois are annoying.

Posted by: Anonymous | November 7, 2007 11:38 AM | Report abuse

If someone is going to be malicious and lauch phishing expeditions, then it does not matter if the info is inside or outside your firewall, hosted or not. An ADP employee or two has access to this confidential info. It is our responsibility to remain educated on how to recognize a scam as a scam, and be suspicious of any unsolicited email communications.

Posted by: Could've happened to anybody .... | November 7, 2007 12:40 PM | Report abuse

You can build the biggest electronic castle or fortress in the world to protect yourself, data, or any other sensitive info, but when you walk out the door and hand the keys over to the thieves directly all that work was for nothing.

It is absolutely about educating people on what is correct and what is not. What is phishing and what is real. Of course in this world of get it done yesterday, many do not take the time to verify requests or consider in detail what or who is asking for info. That work environment only adds to the issue.

In the end it is up to the individuals to protect the information.

Do you think that new Lexus with all of the advanced safety features will protect you when you drive it off a cliff while eating a danish and sending an email on your morning commute?

Posted by: Michael Durnack | November 7, 2007 1:54 PM | Report abuse

This truly is just another prime example of user education. Large companies assume that everyone is as tech savvy as we are. So this is why social engineering will always be the solution for hackers to distribute their malware. Companies both large and small should make sure that their employees are educated on cyber threats.

Posted by: jhamner | November 8, 2007 11:24 AM | Report abuse

If you use, a company called OutProtect ( has a product that secures your downloaded data. The product stops authorized users (or people who have phished and stolen a valid ID/password) from removing Salesforce data without your knowing about it. These attacks are happening no matter what CRM you use, so OutProtect is a pretty cool way to lock down your info from walking out the door.

Posted by: CRM Expert | November 8, 2007 12:08 PM | Report abuse makes 2FA security a Catch-22 choice for SMEs

The phishing incident should not come as a surprise to anyone. The growing popularity of the SaaS model means that providers like, NetSuite and Oracle are managing increasingly sensitive business applications and data for more and more high profile customers. It's too big a honeypot for the Internet Underworld to ignore.

It's really positive that are now recommending the use of two-factor authentication (2FA) to secure the login to their service, but there is one major flaw: to replace their basic password with a 2FA process you need to enable their 'Single Sign-On (SSO) function. Unfortunately this SSO function is limited in the Professional Edition - the SME version which is used by the vast proportion of their customer base.

For these customers, SSO is a 'global setting' so it is either 'on' or 'off' for all users. This means that if 2FA tokens are to be deployed - they have to be issued to every single user; which can be simply too costly.

So for all Pro Edition customers, in order to follow's security advice, they have an costly Catch-22 choice: either upgrade to the more expensive Enterprise Edition or give everyone 2FA whether they need it or not.

It's a fallacy that only big companies use 2FA, we have hundreds of customers of all sizes using our fully managed two-factor Secure Authentication Service, some with just a handful of users.

It is frustrating that our customers cannot extend the use of their tokens to secure their accounts too. If were to make SSO a 'per user' setting on Pro Edition, this would show that they are committed to helping all customers improve their security.

John Stewart
Signify - The Secure Authentication Service

Posted by: John Stewart | November 8, 2007 12:54 PM | Report abuse

The internal use of OTP makes phishing an employee password a whole lot more difficult.

The password to a database, phished? I am impressed, but it was probably some single sign on solution that assumes too much (as I am doing now) and has no concept of location or time.

Now everyone go to their CRM and poison it with some clean data pointing to your honey pot. Mailing lists (postal and fax) have done it forever. You should be able to prove which CRM of yours was hit when fake data is being used.

Posted by: sploit master | November 8, 2007 1:07 PM | Report abuse

Wow, these knee-jerk reactionaries who would like to turn back the clock on "SaaS" are quite amusing. Need I point out that this could have easily happened at a company that sells an on-premise solution as well? It was's own customer list that was compromised, not the CRM data belonging to its customers in its application. This has happened at other companies in the past that weren't SaaS or even software companies. So it looks bad, sure, and could have been prevented, but it's not a reason to go buy Act/Goldmine or whatever other nickel-dimer CRM software you might be thinking of. Base your purchasing decisions on real issues, not the FUD factor.

Posted by: JoeB | November 8, 2007 6:15 PM | Report abuse

The best way will be to take a middle path.

1) Go for a vendor who offers both options namely Hosted and On-Premise.
2) Start with Hosted and complete your evaluation of the vendor and its offering in a live environment
3) Once you are satisfied, migrate to the on-premise version. The vendor will simply shift your project from their data center server to your server.


1) de-risk your business by low intial investment and decide to take the final plunge when you are 100% sure
2) Remove risks of data loss/theft by moving to on-premise. Your data need not have to stay forever in vendor data center.


to know more on this

there is also a webinar archive on this host-to-own concept...this is in one of the CRM vendors website

Posted by: Pathikrit (Pat) Dasgupta | November 22, 2007 9:57 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company