Zendesk Support is a ticketing system, designed to help customers track, prioritize, and solve customer support interactions. It features a variety of integrations with Chat Bots, AI-Call transcription, and much more. These integrations combined with the ability for support agents to enter free text notes when on a call with a customer means Zendesk stores a substantial amount of sensitive data.
For example, imagine you are having trouble checking into your Airbnb or picking up your Turo. If you call their help center they may be using Zendesk, when they confirm your identity or ask for updated payment information this information may accidentally be entered into Zendesk.
It is this wealth of information flowing into Zendesk and the increasing government legislation on consumer privacy (CCPA, GDPR, and more) that means organizations need to actively protect the data contained within Zendesk.
Leading security risks and challenges
Workflows in Zendesk can add to the risk of sensitive data exposure in several ways, including:
- Automations and triggers: Automations and triggers can be set up to automatically perform actions based on certain conditions, such as sending emails or creating tickets. If not configured correctly, these automations and triggers could result in sensitive data being sent to unintended recipients or exposed in public-facing areas.
- Integrations: Integrations with other systems or applications such as Salesforce, Jira, Slack, Asana, GSuite or Shopify can allow sensitive data to be shared between different platforms. If not properly secured and monitored, these integrations could result in data leakage or unauthorized access.
- File attachments: File attachments in Zendesk are a common way for customers to provide additional information and context about their support requests. Some common workflows related to file attachments include uploading files to support tickets for additional context on support requests and downloading and reviewing attachments. Attachments use links in Zendesk Support. By default, any link found by an individual can be accessed without first authenticating into Zendesk.
- User access and permissions: User access and permissions need to be carefully managed to prevent unauthorized users from accessing sensitive data. If access is granted without proper authorization or permissions are not properly managed, sensitive data may be exposed to users who should not have access to it.
- Customizations: Customizations, such as adding custom fields or customizing the user interface, can create unintended consequences, such as exposing sensitive data in unexpected areas or making it more difficult to secure.
- Reporting and analytics: Reporting and analytics tools can provide valuable insights into data, but if not properly secured and restricted, they could expose sensitive data to unauthorized users or third-party vendors.
Potential vectors of attack within Zendesk
As a popular customer support platform, Zendesk is not immune to security threats. Here are some potential vectors of attack in Zendesk:
- Unauthorized access to sensitive data: Zendesk Support allows agents to access customer information, such as names, addresses, phone numbers, and email addresses, as well as any additional data provided by the customer during a support interaction. If an unauthorized party gains access to a support agent's account, they could potentially access this sensitive data, this access can be used for a privilege escalation attack across the organization.
- Brute force & credential stuffing attacks: Brute force attacks involve attempting to guess a user's password by repeatedly trying different combinations of characters until the correct password is found. If a support agent's password is weak, it could be vulnerable to a brute force attack. In some cases, hackers don’t need to brute force accounts in order to gain access, they simply purchase username and password details on the dark web or sometimes even session tokens.
- Phishing attacks: Phishing attacks involve tricking users into providing sensitive information, such as passwords or credit card numbers, by posing as a legitimate entity. If a support agent falls for a phishing scam, an attacker could gain access to their account and any sensitive data associated with it.
- Malware infections: Malware is malicious software that can infect a user's computer, steal data, and cause other types of damage. If a support agent unknowingly downloads malware onto their computer, it could compromise the security of their Zendesk Support account and any customer data associated with it.
- Vulnerabilities in third-party apps: Zendesk Support integrates with a range of third-party apps that can provide additional functionality, such as chatbots or analytics tools. However, these third-party apps can also pose a security risk if they contain vulnerabilities that can be exploited by attackers. Organizations should be careful when selecting and using third-party apps with Zendesk Support.
- Insider threats: Insider threats involve employees or contractors who have access to sensitive data intentionally or unintentionally compromising security. Organizations should have robust security policies in place to prevent insider threats, including monitoring and auditing access to Zendesk Support accounts and data.
The Continued Growth of Sensitive Data
The proliferation of sensitive data continues to grow unabated, particularly for support agents using Zendesk. The Zendesk’s CX Trends 2022 Report found that ticket volume had increased across all channels, with webform/email up 10% YoY and chat up 17% YoY.
This makes Zendesk an attractive target for hackers looking for PII (SSNs, street addresses, and more), PHI (ICD codes, medications, and more), Secrets and Keys (Passwords and API Keys), and payment information (credit card numbers, bank routing numbers, and more.) This is evident in the 2016 Zendesk breach that affected over 15,000 Zendesk accounts.
These findings are supported by a recent study completed at Nightfall across thousands of organizations. Some key findings are outlined below:
Best practices for protecting data
Zendesk outlines some of their best practice security recommendations here. However, we have put together a more complete list of best practices to protect customer data below:
- Enable two-factor authentication: Enabling Two-factor authentication (2FA) for all users in can significantly reduce the risk of unauthorized access to your data.
- Limit access to sensitive data: It is important to limit access to sensitive data, such as customer email addresses, names, and phone numbers, to only those users who need it to perform their job duties. Ensure that only authorized users have access to sensitive data by using role-based access controls (RBAC) and reviewing user permissions regularly.
- Redact or remove unnecessary sensitive data: Zendesk and your support agents will collect an abundance of data during regular operations. Much of this data is not needed to provide ongoing support, hence it is important to find, classify and then take action on any data that is not critical to ongoing support.
- Use strong passwords: Require all users to use strong passwords that are at least eight characters long and include a mix of upper and lowercase letters, numbers, and special characters. Enforce password expiration policies.
- Monitor login activity: Monitoring login activity can help you identify suspicious activity or unauthorized access to Zendesk Support. Enable login activity tracking in your Zendesk Support account and regularly review the logs for any anomalies.
- Audit third-party apps: Zendesk Support integrates with a wide range of third-party apps that can provide additional functionality. However, these third-party apps can also pose a security risk if they contain vulnerabilities that can be exploited by attackers. Regularly audit third-party apps that are integrated with your Zendesk Support account to ensure that they are secure and up to date.
- Regularly review security policies: Regularly reviewing and updating your organization's security policies can help ensure that your Zendesk Support account remains secure. This includes updating policies related to password management, access control, and data protection.
- Enable secure downloads: By default, when you upload attachments on tickets in your Zendesk workspace, anybody with the link can view it as there is no permission-checking when someone clicks a shared link, so if someone sends that URL to an outsider, anyone can view the attachment. There it is vital organizations enable the “Enable secure downloads” setting in Zendesk, as outlined here. This forces users to log in before they can view the file, blocking unauthorized parties from viewing the attachment.
How to identify sensitive data in Zendesk
If you accept customer payments then it is vital you don’t store any bank account information or payment information within Zendesk. To set up automated protection in Nightfall simply:
- Select applicable Financial detectors, set the Minimum Confidence level to Very Likely, and ******set alerts to trigger on Any Detectors
Secrets and Keys
When providing support for SaaS products or development services customers may be required to provide passwords, API keys, or logs. For example, support agents may unknowingly be sharing a link that has an embedded auth token. These credentials can be used for privilege escalation attacks and may lead to data being exposed in your systems or customer systems. These details should not be stored and should be redacted or removed, Nightfall can automate this process by:
- Use the Advanced Secrets Detection detector, set the Minimum Confidence level to Likely, and set the alerts to trigger on Any Detectors
Collecting customer information such as SSNs, names, and street addresses is often required when providing support to customers to verify their identity. However, with increasing regulations such as GDPR and CCPA, it is important that you minimize the amount of PII stored. Nightfall can help find and remove superfluous PII by instituting the following simple rules:
- Select the person name detector and combine it with one of the following detectors: US social security number, US driver's license, US passport, US Individual Taxpayer Identification Number (ITIN), set the Minimum Confidence level to Very Likely, and ******the ******set alerts to trigger on Any Detectors
Patient PHI (HIPAA)
If you provide health services your customer support team may need to collect patient information to verify their identity or to relay the information to the care team. However, PHI is subject to HIPAA rules and must be protected via DLP. Instituting the following rules in Zendesk will help ensure you stay compliant and avoid fines:
- Use the Protected Health Information (PHI) detector, set the Minimum Confidence level to Likely, and set the alerts to trigger on Any Detectors
Maintain compliance with standards such ISO 27001
As your business grows you will likely become subject to leading compliance standards such as ISO 27001, SOC 2, HI-TRUST, and more. These standards all come with complex requirements about how data is stored and protected. Detailed instructions on how to set up continuous compliance with these standards is contained here.
How to remediate sensitive data in Zendesk
Remove sensitive data
For any high-risk information, redaction and deletion of data are recommended. You can instantaneously mask any sensitive information in a ticket comment, title, or tag. For attachments, you can immediately delete them. In most cases, attachments are public by default in Zendesk, meaning anyone with the link can see the information - so ensure you institute our recommendation from Part 2.
Make the information private
Employee productivity needs to be maintained and not impacted by security measures. Nightfall’s feature to “Mark as Private” allows for the data in question to be converted to an internal note. For instance, any external-facing user of Zendesk would be unable to see the sensitive information in any future conversations.
Security is a continuous process of training and education. Nightfall assists security teams by providing the tools they need to notify their employees with customized messaging. You can leverage this by ensuring that an employee does not consistently enter sensitive info.
Want to learn more about Nightfall’s user-friendly DLP integration in Zendesk Support? Book a demo with our team today, check out Nightfall DLP in the Zendesk Marketplace, or book a free risk assessment to ensure your Zendesk instance is secure.