In a filing with the Securities and Exchange Commission (SEC), Slack Technologies reveals it is facing ongoing threats from nation-state actors, organized crime, and traditional one-off hackers alike.
Slack develops and sells a proprietary set of cloud-based collaboration tools employed by millions worldwide. Companies big and small rely on its solutions to collaborate on projects, develop intellectual property, as well as communicate and share sensitive data and files. Naturally hackers are after it, as they are after any platform generating troves of proprietary or customer data. But while Slack maintains a good security posture, now that it is going public, the company’s board of directors feels compelled to warn investors of the risks Slack faces out there.
In a filing to the SEC – a requirement for every company before becoming a publicly-traded entity – Slack warns that it is one of many companies subject to a variety of ongoing attacks on its systems. One chunk of text jumps out:
“In addition to threats from traditional computer ‘hackers,’ malicious code (such as malware, viruses, worms, and ransomware), employee theft or misuse, password spraying, phishing, credential stuffing, and denial-of-service attacks, we also face threats from sophisticated organized crime, nation-state, and nation-state supported actors who engage in attacks (including advanced persistent threat intrusions) that add to the risks to Slack, our internal systems and our partners’ systems, as well as the systems of organizations on Slack and the information that they store and process.”
It is unclear if Slack’s IT guys picked up any such attempts on its infrastructure in recent times, or whether the warning is merely preventative as per the requirements of SEC investor briefings. However, Slack is known to have been the target of at least one cyber attack that made the news a few years ago, when hackers accessed email addresses, usernames, hashed passwords, and, in some cases, phone numbers and Skype IDs that users had associated with their accounts.
Slack further warns investors that although it has deployed preventative measures against hacks, it may not be able to deter all hacking attempts, such as a data breach suffered by one of its partners or clients. It therefore notes, “it may not be possible for us to anticipate these techniques or implement adequate preventative measures to prevent an electronic intrusion into our systems and networks and we may be required to expend significant capital and financial resources to protect against such threats or to alleviate problems caused by breaches in systems, network, or data security.”
Slack’s SEC filing obviously expands on the topic, so those interested in reading the full literature can access it here. The document also outlines that Slack may face particular privacy, data security, and data protection risks in Europe because of the General Data Protection Regulation (GDPR).