Security Manager's Journal: The sales rep and the honey tokens

A competitor suddenly seems to know a lot about the company's customers. Is a former employee involved?

Trouble Ticket

A competitor is sending messages to the customer email addresses in the company's database -- including some dummy addresses set up for testing purposes. Action plan: Use logs and email archives to find out whether an ex-employee stole the data.

When employees have easy access to data, you have to trust them to do the right thing, but you also need ways to verify that they are doing the right thing. That's why I think it's important to invest in things like data leak prevention. We're still tuning our DLP installation, but it nonetheless paid off this week, as did something referred to as "honey tokens."

Here's what happened. We use as the single repository for information about all of our current customers, potential sales opportunities, sales forecasts and more. It's all highly sensitive material and not anything we'd like our competitors to get their hands on.

That's why one of our marketing executives was worried when she called me into her office earlier this week. She had received a marketing email from one of our competitors. The interesting thing about this email was that it was sent to all of the dummy, or "honey token," email accounts that we had set up in Salesforce for testing purposes. The implication was that the email had also gone to all of our legitimate customers and that this competitor somehow had gotten access to the information in our Salesforce deployment.

An Inside Job

We spread the word about this discovery to our sales and marketing management teams, and someone pointed out that a sales representative in one of our largest Latin American offices had recently resigned to take a position at the very competitor that had sent the marketing emails. Could it be that simple? Could this ex-employee have been careless enough to download contacts from Salesforce to use in his new job?

If so, I thought, then he might have been stupid enough to log in from the office before he stopped working for us. I asked our Salesforce administrators to pull the access logs for the past five days. Some quick Excel filtering revealed that, sure enough, this guy had accessed Salesforce at 4 p.m. on his last day of work!

All right, what did he do during this session? Learning that would require detailed log information, which meant opening a support ticket with Salesforce. When we got the logs a few days later, we saw that the sales rep had run several reports to export complete contact information for all of our customers, as well as a list of potential opportunities and sales pipeline data.

I wanted to know more. I had my security analyst pull emails out of the archives. (We have enabled journaling in our Microsoft Exchange corporate email, so that all emails, both sent and received, are captured, even if they were deleted.) Nothing there. However our recently deployed DLP tool does have rules for detecting customer account numbers. Making use of that feature, we found several unencrypted webmails in which the sales rep sent himself .zip files containing all the exported reports. Although we didn't find an email in which those files were sent to our competitor, we did come across one in which he mentioned that he would be "bringing over" his customer portfolio.

At that point, I gathered my evidence and provided it to our legal counsel and human resources department so they could take action.

And next for the security team? I will be meeting with the owners of our other applications to propose the expansion of the use of honey tokens. And this incident is just what I needed for my 2013 budget planning, which will surely include proposals for additional investment in our DLP infrastructure.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join in the discussions about security!

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place