salesforce.com's customer list stolen, used for highly targeted phishing scams

[cy]

Salesforce.com Acknowledges Data Loss

On Oct. 19, Security Fix reported that payroll giant Automatic Data Processing (ADP) and several banks -- including Suntrust -- were among a number of institutions that were victimized by a series of highly-targeted phishing scams that addresses recipients by name and asked them to click on a link - which tried to download password-stealing malicious software. A Suntrust executive alleged that the scammers obtained their list of Suntrust customers via a data compromise at Salesforce.com.

A Salesforce.com executive would not answer direct questions about the incident at the time. Salesforce.com data also was implicated in a pair of targeted malware attacks that appeared to have been sent from the Federal Trade Commission, an attack that installed password-stealing software on PCs of more than 500 victims.

Now, in an e-mail sent Monday to nearly a million customers, Salesforce.com is finally owning up to a data loss.

http://blog.washingtonpost.com/securityfix/2007/11/salesforcecom_acknowledges_dat.html

http://blog.washingtonpost.com/securityfix/2007/11/deconstructing_the_fake_ftc_em_1.html

 

[scott.cr]

Damn, that's pretty heavy duty. I sorta wonder if companies just don't really care that much about their customer's data. Banks spend $$$$ to keep their money safe. I think data security is more of an afterthought for executives.

In my last job, my boss never wanted to spend one red cent on data security because it didn't have a quantifiable return on investment. After I quit I tried logging into a few of the databases the company uses, and they didn't even change the passwords. I could have easily stolen or wrecked their database.

Maybe lack of security is due to sheer stupidity and complacency. This crap really annoys me, because companies want a lot of personal data from you these days...