Zendesk

Problem

Customers post sensitive personal information (PII or PHI) on Zendesk tickets for a given business function. Some of the burning reasons on why your Zendesk account needs to be protected:

• All organizations are subject to security attacks and breaches. Zendesk is also not immune. In 2016 Zendesk was subject to a data breach exposing 10,000 Zendesk accounts where sensitive PII (Personally Identifiable Information) was accessed.
• Compliance: Every day government legislation is passing Consumer Privacy laws geared to protect consumer data from malicious entities. California and Illinois have been the latest to introduce these laws, including a Biometric Information Privacy Act. For many organizations, data can be spread across a wide range of systems, which can be challenging to keep up with Privacy law enactments. It is a nightmare for companies to do manual cleanup of those sensitive messages sitting within your employee's Zendesk account as deep inspection is time-consuming and error-prone. At the same time, you need to stay compliant and prevent exfiltration of sensitive data.
• In the first six months of 2019, a reported 3,813 data breaches affected 4.1 billion records, an increase from 2018. Of which, 70% of leaks exposed user emails, while 65% included sensitive information revealing passwords. According to IBM, the average time it takes for an organization to identify a data breach occurred is 206 days, with an organizational cost of $3.92 million.
• Between 2018 and 2020, there was a 47% increase in insider threat incidents. This includes malicious data exfiltration and accidental data loss.‍

Solution

Strac Zendesk App is a Data Loss Prevention (DLP) software. It masks (aka redacts) sensitive comments and attachments while still giving the opportunity to authorized users to view those Zendesk tickets in Strac UI Vault. A business can configure a list of sensitive data elements (SSN, DoB, DL, Passport, CC#, Debit Card, API Keys, etc.) to redact. Compliance, Risk and Security officers will get audit reports of who accessed which messages.

Below is a sample list of sensitive data elements that will be detected & redacted:

• Identity: Drivers License, Passport, SSN (Social Security Number), etc.
• PII: Name, Address, Email, Phone, DoB, Age, Gender, Ethnicity, etc.
• PHI: PII data, Medical Record Number (MRN), Medical Notes, etc.
• Payments: Bank Account, Routing Numbers, Credit Card, Debit Card, etc.
• Secrets: API Keys, Passwords, Passphrases etc.
• Physical Network: IP Addresses, MAC Address, etc.
• Crypto Secrets: Bitcoin, Ethereum, Litecoin Addresses, etc.
• Custom: Create your own rules or use regex