The popular productivity tool Slack allows teams to collaborate, communicate and share information. According to Slack’s website, “everyone has a transparent view of all that’s going on”. But when Slack is integrated with file management tools like Google Drive, sensitive data can be exposed.
That’s exactly what happened in a recent incident within the U.S. General Services Administration (GSA). By enabling Slack users to preview file contents from Google Drive, government technologists also permitted that content to be uploaded and indexed by Slack’s servers. According to the GSA Inspector General’s report, the integration of Slack and Google Drive “permitted full access to over 100 GSA Google Drives, resulting in a data breach”.
The technology team involved admitted in a blog post that the integration was a mistake and the vulnerability has been addressed.
Here’s something scary: the post also stated “We make it a practice to regularly remind our team of their onboarding and training, and to always read the fine print when creating an OAuth 2.0 connection— good advice for anyone. Whether you use Google Drive for personal or professional reasons, you should occasionally check if you’re comfortable with what you’re sharing. ”
If the GSA’s data security protocol relies on practices like “you should occasionally check if you’re comfortable with what you are sharing”, we can expect a lot more breaches.
The point is the use common productivity tools to access sensitive files or data must be done with extreme caution, because it can allow information to be passed to outside servers and unauthorized users.
Sign up to receive a weekly email digest of my blog posts and articles.