Slack Technologies, the company whose cloud-based collaboration tools and services are used by companies worldwide, has warned potential investors that the company faces threats from a wide variety of sources, including “sophisticated organized crime, nation-state, and nation-state supported actors.”
Acknowledging the risk
In the documents it was required to file with the Securities and Exchange Commission (SEC) due to its going public, the company has spelled out the many cyber threats to its existence, functioning and financial results (and investors’ bottom line): “traditional” computer hackers, malicious code, employee theft or misuse, password spraying, phishing, credential stuffing, DoS attacks, compromised API keys and passwords, and so on.
“The security measures we have implemented or integrated into Slack and our internal systems and networks (including measures to audit third-party and custom applications), which are designed to detect unauthorized activity and prevent or minimize security breaches, may not function as expected or may not be sufficient to protect Slack and our internal systems and networks against certain attacks,” the company added, pointing out as an example the data breach it suffered in March 2015.
The inclusion of these points is not unusal, as the SEC mandates disclosures of cybersecurity risks and incidents before IPOs. But what caught the eye of many is the fact that Slack explicitly mentioned “organized crime” and “nation-states” as attackers who might want to breach its defenses.
The company did not say that it was actually breached by these types of attackers, but obviously they are aware of the possibility and underlying risk.
It should not come as a surprise, though. Slack is widely used in enterprise settings for collaboration and exchanging information, so it’s a goldmine of sensitive (and proprietary) information.
Also, EFF’s Director of Cybersecurity Eva Galperin pointed out, journalists and activists regularly user of Slack to talk about sensitive projects, despite Slack not offering adequate security protections such as extensive encryption and a self-hosting option.
Slack can be subpoenaed by governments to share users’ content stored on its servers, but could also be breached by nation-state supported actors to grab information they might otherwise not be able to access. The company is obviously aware of that risk and correctly assesses that it cannot entirely mitigate it.