Salesforce outage exposes Pardot marketing automation data

Salesforce's 15-hour outage may not scare away users. But it might get them to use more encryption, as the outage exposed customer marketing automation data in the GDPR era.

A Salesforce outage led to repercussions days after the event, as eastern U.S. customers attempted to sign in and found themselves locked out.

The May 17 outage, caused by a faulty database script Salesforce had installed -- possibly connected to new Pardot Business Units B2B personalization tools -- led the CRM vendor to shut down Marketing Cloud services for 15 hours into the weekend, causing aftershocks three days later.

The faulty script exposed customer data internally within Salesforce user instances more broadly than permissions set on that data allowed -- but only if they were using Pardot now or had done so in the past. This, in theory, temporarily gave all employees with a Salesforce login the ability to see and edit their company's customer data. That led to Salesforce cutting access to all users with Pardot until data permissions were restored, according to reports.

"Automation has given us great benefits," said Balaji Parimi, CEO of CloudKnox, a cloud data security vendor catering to customers of Salesforce and other vendors. But, "If we don't put in the proper measures to mitigate this risk, we're going to see these problems with modern technology."

Parimi said that the potential permissions settings for customer data have multiplied into the thousands in cloud platforms, many more than were common on on-premises platforms from just a few years ago.

Problems that caused the Salesforce outage are likely to become more prevalent as cloud vendors push intermittent updates much faster than traditional development cycles, Parimi added.

Salesforce was quiet about the loss of service, except for a few public outlets, including co-founder and CTO Parker Harris' Twitter page and the official Salesforce outage update page, which noted that some customers still were experiencing "performance degradation" but said the service disruption was over.

Analysts: GDPR enforcement unlikely

The Salesforce outage affected U.S. and European Union customers. While the data exposure technically could lead to GDPR compliance actions, analysts said it probably wouldn't. That's because it wasn't a hostile outsider attack in which a hacker stole massive amounts of data, and because Salesforce quickly moved to mitigate the exposure.

Outage maps showing where U.S. Salesforce customers reported problems on May 17 and May 20, 2019.
U.S. Salesforce outage reports at flared up on noon Eastern time Friday, May 17 (top), and then again on Monday, May 20 (bottom), at 11 a.m., with lingering widespread problems.

That's in contrast to, for example, credit card company breaches reported long after they happen, said Brent Leary, owner of consultancy CRM Essentials and SearchCustomerExperience expert contributor.

"The fact that the credit card companies often don't say anything until months later, where you had no clue your data was compromised -- that's terrible," Leary said. "Salesforce tells you what happened, where it went wrong, immediately. That's a huge difference."

Customers likely to forgive -- this time

Upset users on Twitter quickly reacted to the Salesforce outage with anger and frustration, spiking traffic on hashtags such as #SalesforceDown and #Permissiongeddon.

Communicating with about 50 Salesforce customers his firm Constellation Research advises, founder Ray Wang said he didn't see anyone panicking and shopping around for new CRM and marketing automation platforms.

If we don't put in the proper measures to mitigate this risk, we're going to see these problems with modern technology.
Balaji ParimiCEO, CloudKnox

"We give them the benefit of the doubt," Wang said. "If this were happening every month, people would be outraged. I don't think this is going to scare anyone away."

Wang and Parimi said some customers will consider third-party permissions management tools, as well as deeper data encryption to protect sensitive data in case another outage takes place. They also noted that Salesforce is just the latest vendor to experience an outage related to a feature push.

Other vendors surely will experience similar problems as cloud infrastructure becomes the norm; it's bound to happen, so customers should draw up plans to stay in compliance and in business during such events.

The public nature of Salesforce being a cloud vendor, with customers chirping on social media and message boards, required the relatively swift response the CRM platform vendor took, Wang said.

"If this were to happen within your company, you would never know," Wang said. "The number of times this happens is so much lower than if you were running it on your own. People forget that, we're so used to the reliability of the cloud."

Dig Deeper on CRM tools and strategy

Content Management
Unified Communications
Data Management
Enterprise AI