DocuSign, the leading electronic document-signing company for over a decade, promises to “move business forward securely and reliably” on its website. Last Monday, their promise fell short of reality.
The company announced that in a brazen breach of security, hackers illegally acquired email addresses and contact lists of clients, which were later used to launch damaging phishing attacks. The messages contained a link to a Microsoft Word document containing malware.
Malicious third party
In a statement the company said, “Today we confirmed that a malicious third party had gained temporary access to a separate, non-core communication system used for service-related announcements that contained a list of email addresses.”
The extent of the hack was unspecified by the company, leading to speculation that the reach was deep and widespread.
It was also unclear how many clients fell victim to the phishing attacks.
But DocuSign denied an invasive attack, stressing that only email addresses were compromised. The company statement claimed, “A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed.”
It seems that secured documents sent by clients through its system for eSignature were not compromised.
But the company feared phishing attacks containing a counterfeit DocuSign branding logo with addresses ending in “docus.com”, a lookalike fake domain would continue to proliferate. The attack lured victims to a wire transfer or accounting invoice declaring “Document Ready for Signature”.
In our digital era, huge waves of coordinated phishing attacks, sometimes even state-sponsored, are have become extremely common. So some security experts seemed not too alarmed by the DocuSign breach. Troy Hunt, a security expert told Inc.com, “It’s usually a trivial affair to track down someone’s address because after all, that’s how you get in touch with them!”
However, the eventual phishing attack contained sophisticated malware in the attachment that had the potential to access passwords or even banking credentials.
To its clients, the company struck a tone of extreme caution and instructed to “forward any suspicious emails related to DocuSign to email@example.com, and then delete them from your computer.”
It assured them further by saying, “We took immediate action to prohibit unauthorized access to this system, we have put further security controls in place, and are working with law enforcement agencies.”
DocuSign deals is built on trust.
It has access to extremely confidential documents—from sensitive business contracts to medical documents. Any reports of digital vulnerability might immediately turn clients away from availing their services.
The company seems to be acutely aware of this.
Nearly five years ago, the American Genius ran a story about how many DocuSign clients’ information appeared to have been publicly accessible through Google search.
The company vehemently denied any breach of security back then and explained “it appears that a very small number of DocuSign users have saved their own personal copies of their signed documents to publicly accessible and searchable locations outside of the secure DocuSign Global Network,” essentially shifting any blame on users.
No scapegoat this time
This time around, the company had to admit a third-party caused the breach.
On their website, DocuSign tells clients to “get to ‘yes’ faster” by availing their services that are “more secure than paper.”
On paper, in fact, that’s not true anymore.