Jp: Two Salesforce incidents reportedly shut down online vaccination reservation systems, exposed other personal info
Updated May 18: See the Salesforce statement issued May 17 that says confirming that there was no data loss or breach involving the first incident described below.
Yomiuri Shimbun reports:
A failure in a cloud computing system provided by U.S.-based IT company Salesforce.com Inc. paralyzed COVID-19 vaccination reservation systems operated by local governments across Japan on Wednesday.[…]
In another issue regarding services provided by Salesforce, it has been found that personal information stored by dozens of municipalities and companies in Japan could have been viewed by unauthorized third parties since the end of last year. The National center of Incident readiness and Strategy for Cybersecurity (NISC) has called for caution, warning that the risk of information leaks could increase.
Read more on The Japan News.
Salesforce did not respond to an inquiry sent via e-mail yesterday asking if the vaccination-related incident was the result of a cyberattack or from other causes, but news coverage by The Register suggests that it was a DNS issue, citing a statement by the firm:
The team determined the root cause was related to the implementation of an emergency fix that triggered a software issue and caused a DNS network incident. To resolve the issue, the team manually restored DNS service on a data center by data center basis until normal service levels were restored.
Because Salesforce did not respond to the inquiry, we do not yet have an answer to the question about the second incident mentioned in the news report — as to whether Salesforce had actually been responsible for the security of the personal information that was disclosed.
This post will be updated if a reply is received.
Marcelo - May 18, 2021
Here is the official report about the incident “Multi-Instance Service Disruption on May 11-12, 2021” https://help.salesforce.com/articleView?id=000358392&type=1&mode=1
@Dissent, adjust the article, there was no data breach.