Zendesk: Is Sensitive Data Exfiltrating via Tickets

Zendesk offers a lot of tools to help businesses improve the customer experience, including help desk functions, email marketing, live chat and customer engagement tools. As part of this, Zendesk hosts and provides historic trail for a wealth of customer data – some of which is highly confidential, such as credit card information or addresses. 

If your organization uses Zendesk for processing sensitive data, you need to be wary of data loss risks and compliance regulations, such as Payment Card Industry Data Security Standard (PCI DSS). 

The top 5 risks

  1. End user error:  To help its customers meet compliance, Zendesk offers a PCI-compliant ticket field for users to enter their card details. However, as the platform itself notes, this does not always prevent data loss. If sensitive data is entered into the wrong form, for example, Zendesk does not automatically redact it. You have to proactively enable Zendesk’s Automatic Redaction tool first.

 

  1. Redaction limitations:  Zendesk’s Automatic Redaction tool is not 100% accurate. In the same blog, Zendesk also states: “The checks don't guarantee that all credit card numbers will be identified.” Furthermore, while Zendesk’s credit card number field is PCI-compliant, the redaction tool is not:


  1. Sensitive data may already be leaking: Zendesk’s Automatic Redaction tool only works on new information, as you can see below. Without proper redaction, sensitive data may already be stored in multiple places on your systems – putting you at odds with compliance regulations.


  1. The insider threat: Unless your organization has strong user administration configurations, all of the above means that the insider threat is a potent risk. Potentially, any member of your team could see – and steal – sensitive data. 

  1. Third-party risk: If your customers access Zendesk through a third party app or browser, security support is limited. External applications could receive customers’ sensitive data when they’re not meant to. If unencrypted, this data could even be intercepted by threat actors.  




Enhance your Zendesk data security & governance

It’s clear that these factors put organizations at risk of data leaks and compliance fines. However, under the shared responsibility model of the cloud, it is the organization’s fault if this kind of incident occurs – not Zendesk’s. 

While the company’s redaction tool offers a semi-solution, by itself, it is not enough for organizations to feel reassured that they are storing sensitive data correctly. With PCI compliance fines costing organizations anywhere between $5,000 to $100,000 a month, depending on the length and degree of non-compliance, further data protection is needed. 

That’s why Polymer recently introduced an integration app to monitor and secure sensitive data, including PII, PHI and HIPAA, within your Zendesk.

Using cloud-hosted machine learning, Polymer identifies sensitive data in mid-transfer and encodes that data to prevent unauthorized accounts from ever seeing protected information. 

Polymer’s easy to use administrative dashboard allows simple user and role management to determine who can see what, as well as customizable configuration to identify industry or company-specific sensitive information, significantly reducing the cost and worry of data protection compliance while using Zendesk.