Slack's Insufficient Security Measures
Slack's Insufficient Security Measures | |
---|---|
Short Title | Slack Applies Insufficient Security Measures |
Location | Global |
Date | July 2019 |
Solove Harm | Insecurity, Secondary Use |
Information | Identifying, Contact, Communication, Computer Device, Professional, Social Network, Authenticating |
Threat Actors | Slack Technologies Inc., Companies that use slack for corporate communication, Law Enforcement |
Individuals | |
Affected | Users of Slack |
High Risk Groups | Employees |
Tangible Harms |
Slack was found to have insufficient security measures, failing to encrypt user data, and having unfair data retention policies.
Description
According to Slack’s S-1 form, the company faces threats from “sophisticated organized crime, nation-state, and nation-state supported actors.”
The company acknowledges that its security measures “may not be sufficient to protect Slack and our internal systems and networks against certain attacks,” and correctly assesses that it is “virtually impossible” for the company to completely eliminate the risk of a nation-state attack.
Right now, Slack stores everything users do on its platform by default, including usernames and passwords, and all messages.
That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers — including the nation-state actors highlighted in Slack’s S-1 — can break in and steal it. This is an example of Insecurity.
Particularly alarming is that free customer accounts don’t allow for any changes to data retention. Slack retains all of users data but makes only the most recent 10,000 visible to the user. They are stored on Slack servers to keep them ready in case the user decides to upgrade to the paid version. Hiding user communication data from them, and use it as a "bait" to make users pay, can be interpreted as Secondary Use.
Laws and Regulations
Sources
https://www.nytimes.com/2019/07/01/opinion/slack-chat-hackers-encryption.html
https://www.sec.gov/Archives/edgar/data/1764925/000162828019004786/slacks-1.htm