Customer relationship management (CRM) organization HubSpot has announced that a breach of almost 30 customer portals has been identified. It appears that the primary targets were in the cryptocurrency industry, including some well known firms such as BlockFi, Swan Bitcoin, Paxos and NYDIG.
HubSpot has confirmed that the breach was achieved through a compromised employee account, which was swiftly closed down following its identification. Exactly how the employee account was accessed has not yet been divulged, but HubSpot issued a statement assuring customers that suitable measures had been taken to protect against repetitions of the breach. The CRM has implemented access restrictions on other employees, limiting the number with access to certain information solely for "account management and support purposes."
What was stolen?
The perpetrator was initially believed to have only been able to extract contact details. Client funds and more sensitive information, such as government IDs and Social Security numbers remained secure, according to statements issued by BlockFi and Swan Bitcoin, as these should not be managed or stored by HubSpot.
To be entirely transparent with its customers, Swan Bitcoin did follow up with a second, revised statement when more was learned about what had been compromised. While this does suggest that HubSpot was potentially storing information it shouldn't have, Swan Bitcoin has reassured clients that the data leak does not affect them.
What personal data should HubSpot handle?
Typically CRMs only store the minimal amount of customer information for their clients. The entire basis of the service they provide means that anything of greater importance and security isn't relevant and therefore shouldn't be held. So that means basic contact information and communication histories with the service provider — in this case, the crypto firms. Of course, those communications could pertain to deals and negotiations, as well as discussions of transactions.
There is no doubt a shared sense of relief that little more than contact information was stolen, but the firms affected have wasted no time in contacting customers to warn them of the breach. And rightly so, as explained by HubSpot super administrator Robert Warren, writing for Bitcoin Magazine: "While it is true that financial data is not stored in the CRM, you should be aware that data associated with the users of these companies and their behaviors is logged in the CRM. This puts users in a unique position to be targeted in social engineering attacks."
The concern now, then, is that the individuals' data stolen in the breach could be used in conjunction with phishing scam attempts. Hence the swift announcements from HubSpot clients via social media and direct communications advising customers to remain vigilant toward suspicious messages. Those suspicious emails may be harder to spot because a bad actor could be including significantly more accurate information about their target than a more run-of-the-mill phishing scam campaign might.
Protecting against CRM breaches
In the wake of this latest breach at HubSpot, clients of CRMs are going to want to know what best practices are advised to ensure their data is as low risk as possible. The reality is that software-as-a-service (SaaS) providers are a prime target for cybercriminals because they offer such rich rewards when it comes to customer information. SaaS providers naturally have a duty of care when it comes to the data they collect and store for clients, but for peace of mind it is recommended that clients pay particular attention to certain areas when engaging a SaaS provider.
- In the first instance, consider what data you will be handing over to a third party. While you are going to be contractually protected to some degree, you are still handing over the personal information of your customers for another organization to look after. Be selective about how much you are entrusting to a CRM — or any other SaaS, for that matter.
- Find out what controls and safeguards the CRM has in place, especially in relation to monitoring and adjustability. Wherever possible, choose to have securities tightened as far as you can.
- Ask your CRM to explain its risk analysis processes to you. This should include details around frequency, methods and resolution procedure, should anything be flagged.
- Also enquire about data retention; find out how long information is stored and how. This is also something that can potentially be amended to cut down the amount of data that might be vulnerable at any given time, should an incursion happen.
As a rather extreme last resort, don't be afraid to seek out an alternative SaaS provider if your current one isn't able or willing to offer what you want or need. Remember that customer data is considered a sacred thing, coveted and entrusted. It is the responsibility of service providers to do their utmost to protect and secure vital information for their clients.