Data Breach in your CRM System. Do you know the Risks?

By   ISBuzz Team
Writer , Information Security Buzz | Mar 08, 2016 07:00 pm PST

Today’s modern CRM systems are vital to your business’ success. CRM data now holds every aspect of your business’ proprietary information from corporate intelligence to sales data; as well as your customers’, from buying patterns to PII. A data breach to your CRM could be devastating to your organization resulting in lawsuits or irreparable harm to your brand’s reputation and customer trust. With so much at stake, here is what you need to know to protect your CRM.

The Value of CRM Data

Today’s modern CRM systems contain data that is invaluable. These systems hold significant information about corporate intelligence, financial information, sales data, patient health information, credit card information, banking wiring instructions, and every possible detail about a company’s customer. In fact, a single CRM customer instance can store vast amounts of regulated, confidential and proprietary information.

If not properly protected, internal and external bad actors can exploit this data in a number of ways, including:

  • ID Theft/Medical ID Theft
  • Fraud
  • Nation-state espionage
  • Corporate/competitive espionage
  • False billings
  • Selling data to a third-party

We have all heard about the escalating data breaches over the last few years, and we all know that the cost and related consequences of such breaches are quite severe. As per the Ponemon Institute’s recent global study (sponsored by IBM), the average consolidated total cost of a data breach has increased by 23 percent since 2013.

“Based on our field research, we identified three major reasons why the cost keeps climbing. First, cyber-attacks are increasing both in frequency and the cost it requires to resolve these security incidents. Second, the financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost. Third, more companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management.” (Dr. Larry Ponemon, chairman and founder, Ponemon Institute)

When a data breach affects a company, the first area that they tend to check is whether the hackers have been able to get the customer’s financial/ payment details. Companies almost seem to rejoice when they find that these details are safe, and then almost proudly announce to the press that though intruders did manage to sneak into their systems, “however no credit card details were stolen,” almost undermining the value of other data which the hackers may have obtained, including important CRM data.

While many data breaches happen from external bad actors, it’s not just hackers, malware writers, nation state attacks or organized crime rings who are looking to steal proprietary CRM data. Hundreds or even thousands of insiders (employees, contractors or other business partner) can have authorized access to a company’s CRM. According to a recent Intel Security report, internal actors were responsible for 43% of data loss, half of which is intentional, half accidental. Customer and employee information were the top two content categories, according to the report.

Data Under Attack

With access to customer CRM data, cyber criminals can contact customers and build trust with them (through sharing back the customer data that the hackers have obtained). Once the customer is convinced that he /she is interacting with a (perceived) genuine entity, hackers are only too eager to obtain additional data from these customers. This information can then be sold by hackers to interested parties who can then use it for identity theft. When the crime comes to light and customers are finally able to trace the crime to the hacking incident, companies tend to lose the one aspect that customers actually go to companies for in the first place- trust.

Apart from identity theft, malware can penetrate an organization through phishing schemes which are sent with infected attachments or links which upon opening can lead to problems. Through phishing or targeted “spear” phishing criminals get access to email addresses, company hierarchy information, etc. These criminals then masquerade as upper management executives and send an email to junior employees asking them for a wire fund transfer. (The email may at times ask for a wire transfer to be made to a vendor, with bank details provided not of the vendor, but that of criminal entities). Or they can obtain an authorized user’s credentials to access the CRM and steal the data.

According to the 2015 Identity Fraud Study conducted by Javelin Strategy & Research, 12.7 million U.S. consumers were victimized in identity theft with fraud losses amounting to $16 billion in 2014. As per the Bureau of Justice Statistics (BJS), identity theft costs Americans far more than all other property crimes.

In case hackers already have access to the user’s credit card information, they may use the customer payment history which they have obtained through the CRM data hack to conduct fraudulent transactions. The transactions are done in such a way (withdrawal of small amounts) that the customer is unable to make out if something is wrong until a number of transactions have already taken place.

As per the 2014 Javelin Strategy & Research report, the cost of credit and debit card fraud rose to $11bn in 2013. As per BI Intelligence report, the U.S. accounted for 51% of all global payment card frauds in 2013.

The company’s CRM data can also contain strategic information of the company, including sales forecasts, prospective customer details, etc. Bad actors, either internal or external, can download customer lists as they are leaving the company or sell the information to ill-intentioned competitors who are more than happy to get sensitive competitor information. Corporate espionage is a growing business today and hackers can command hefty premiums for such information.

Data theft trends by internal users continues to increase in damage and studies suggest that more than ever, employees who work on intellectual property projects believe they are entitled to take it. Additionally, departing employees, disgruntled employees, or an employee whose credentials have been compromised by a third-party, can access and download CRM data on their way out and often without detection.

In 60% of 150 data theft cases studied in the Recover Report, internal perpetrators stole proprietary information in order to secure a new position with a competitor. In 30% of those cases studied the internal motivation was to use the stolen information to create new business.

Annual losses to corporate espionage are estimated to cost 300 billion annually in the US. As per the Brookings Institute: 65+ percent of the companies value, sources of revenue, sustainability and growth lie in information assets, intellectual property (IP) and proprietary competitive advantages.

Further, there has never been more regulatory enforcement of privacy and security standards by industry and across the globe.


Some basics steps that can help protect customer data are the following:

  • In possession of sensitive customer information and records, companies can install sound alarm systems which can detect data breaches and take immediate counter measures, including those which can help in shutting down the breach immediately
  • Companies can use efficient encryption systems, as well as identity and access management systems which grant access rights strictly on need basis. The employees who no longer have a need for access rights can be ejected from the system on a regular basis.
  • Additional user authentication layers can be used to protect the data
  • Cloud-based CRM systems with IP address range restrictions can be used
  • Enabling the audit log function of your CRM. The lack of automated audit logs makes monitoring impossible and a forensic investigation time-consuming and expensive. The lack of audit logs also leaves a void in all security, certifications and regulatory requirements that relate to audit controls.
  • Continuous monitoring with alerts and filtering: User activity monitoring and alerts provides some peace-of-mind, as well as visibility into user behaviors that are suspicious.
  • Highlighting the importance of data protection can be done regularly in internal company forums and can be made as an important part of the company’s internal briefing. As per surveys, people/employees who use CRM applications internal systems account for more than 75 percent of the breaches which occur.

[su_box title=”About Avani Desai” style=”noise” box_color=”#336588″]Avani DesaiAvani Desai is a Principal and Executive Vice President at BrightLine, with over 13 years of technology and privacy experience.[/su_box]

[su_box title=”About Kurt Long” style=”noise” box_color=”#336588″]Kurt LongKurt Long is the Founder and CEO of FairWarning®, a leading global provider of solutions which expand trust in mission critical applications such as Salesforce, Electronic Health Records and cloud-based applications.[/su_box]

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x