Don't Trust Salesforce.com ...

The big hold back has always been that "secure" part. How reasonable is it to assume that some third party is going to take as much care of sensitive information as its owner would? Somehow I've always had this nagging concern that the security of data isn't really as important to these application hosting companies as they want us to think it is. That might sound a little paranoid, but a little paranoia tends to be healthy when it comes to system security.

This is one of the reasons why I've tended to advise clients to save the monthly per-user fees they would pay to an application hosting firm, use it to set up their own secure server and to pay for someone to maintain it. In most cases there's a free tool available that will exceed the requirements of most small to medium sized enterprises, and the actual amount of time required to keep a system secure makes it cost effective to maintain control of the systems while outsourcing the maintenance.

One of the more popular web applications is contact management. The leader in this field, salesforce.com, has been wildly successful at helping companies spend less energy on the systems that support the sales process and more time on actually selling. Generally speaking this is a good thing. A few years back I did a business analysis of the Salesforce solution versus some low-to-no cost alternatives like SugarCRM.

As part of that analysis, I signed up for a free account at salesforce.com. now when I sign up for something like this, I usually create a unique mail address — so I can trace spam back to the source and beat up whoever failed to protect my data. Over the last few years, there's been a real drop in the number of companies that will unscrupulously resell a mail address. This has been the result of both a huge backlash against spam and some well placed legislation. These days, when a trace address gets spammed, it's usually the result of a misdeed; someone deliberately copies the data and sells it without the knowledge or consent of the company who owns it.

Well last week my Salesforce.com trace address got spammed. Here's part of the headers:

From - Fri Sep 14 07:38:59 2007

>From dealmakermedia_2CD269C9A686B38C3141790CE0B1990652961EAF3BE0B1A3@response.whatcounts.com Fri Sep 14 06:38:12 2007

Received: from common1.wc09.net ([38.100.231.181])

 by xxx.yyy.com with esmtp (Exim 4.68)

 (envelope-from <dealmakermedia_2CD269C9A686B38C3141790CE0B1990652961EAF3BE0B1A3@response.whatcounts.com>)

 id 1IW9Up-0008L1-Dc

 for (deleted)@ambitonline.com; Fri, 14 Sep 2007 06:38:12 -0500

Received: from josephine.whatcounts.com (192.168.127.32) by common1.wc09.net (PowerMTA(TM) v3.2r8) id ht9mui0c2qc7 for <(deleted)@ambitonline.com>; Fri, 14 Sep 2007 04:16:37 -0700 (envelope-from <dealmakermedia_2CD269C9A686B38C3141790CE0B1990652961EAF3BE0B1A3@response.whatcounts.com>)

From: "Dealmaker Media" <dealmakermedia@response.whatcounts.com>

To: (deleted)@ambitonline.com

Subject: The Momentum 15: Ladies and Gentlemen, place your bets!

Date: 14 Sep 2007 04:47:01 PDT

Reply-To: "Dealmaker Media" <dealmakermedia_2CD269C9A686B38C3141790CE0B1990652961EAF3BE0B1A3@response.whatcounts.com>

ENVID: WC-1189770421372-F78F7

Message-ID: <2CD269C9A686B38C3141790CE0B1990652961EAF3BE0B1A3@response.whatcounts.com>

MIME-version: 1.0

Content-type: text/html

X-Mailer: WhatCounts

That caused me to forward the message to a support address at salesforce.com:

Date: Fri, 14 Sep 2007 08:22:10 -0400

From: Alan Langford <jal at remove_this_nospam ambitonline.com>

User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)

MIME-Version: 1.0

To:  support@salesforce.com

Subject: [Fwd: The Momentum 15: Ladies and Gentlemen, place your bets!]



As you can see from the headers of the message below, when I provided 

information to your organization, I used a highly traceable address in 

order to detect violations of my privacy. I can assure you that the 

address "(deleted)@ambitonline.com" was provided exclusively to your 

organization. In my experience, this sort of violation is frequently due 

to unauthorized use of data, and as such it is probably as serious a 

matter for you as it is for me.



I look forward to a report from you on how this personal and proprietary 

information wound up in the hands of the group who sent this message, 

and the actions you are taking to prevent it from happening again. 

Moreover, given your inability to protect this information, please 

explain why I should trust your organization with something as sensitive 

as my own contact database.

After receiving no response, I sent another message to them this morning (September 20, 2007), informing them that I was planning on making their data loss public. Still no response.

So that's it. Either salesforce.com is violating their own privacy policy, which seems highly unlikely; or they have had an "unauthorized data leak" and they don't want to talk about it much. There's a third alternative, which is that a response from their support team takes more than a week.

The first two possibilities are serious indeed. Serious enough for me to confidently say don't trust your sales data with salesforce.com, ever! Set up your own system (and most likely save a boatload of money in the process). As for the third possibility, well... just save a boatload of money and get better support in the process.

It turns out I wasn't so paranoid after all.