topic Re: PaloAlto Networks Discloses Confidential Security Information to Third Parties w/o customer cons in General Topics

PaloAlto Networks Discloses Confidential Security Information to Third Parties w/o customer consent

JohnWade — Fri, 27 Apr 2018 21:41:21 GMT

I just was emailed a Palo Alto Networks security report listing information on all of the wildfire submissions from our organization. This email came from a vendor that we had never purchased Palo Alto products from and contained detailed information about our environment.

I was shocked and disturbed by this disclosure. Support refered me to the Privacy Policy

https://www.paloaltonetworks.com/legal-notices/privacy

This privacy policy sure as heck does not seem to cover this case. Has anyone else had this happen?

Thanks,

John Wade

Re: PaloAlto Networks Discloses Confidential Security Information to Third Parties w/o customer cons

pulukas — Sat, 28 Apr 2018 16:07:22 GMT

I can't comment on your specific situation without the details but I am guessing the communications you received falls under this section of the privacy policy.

Business Partners.

We may share Your Information with our business partners and channel partners so that they can provide you with information on our products or services, or follow up on a sales lead. If you do not wish to receive promotional emails from our partners, you can unsubscribe directly in the footer of the partner’s email to you.

Assuming the people contacting you were from a PAN partner/reseller and using the information about your usage as an opportunity to upsell other PAN products and services.

Many businesses will use transactional and other information to generate sales leads in this way for either interal sales teams and partners. And in this time of Big Data with machine learning you can expect this to increase. Some companies have a method to opt out of such activities. You could explore that with your account manager or sales engineer.

Re: PaloAlto Networks Discloses Confidential Security Information to Third Parties w/o customer cons

BPry — Sat, 28 Apr 2018 16:15:32 GMT

@JohnWade,

I'm going to disagree with @pulukas on this being a partner staying within their lane. The partner can pull what devices you have and likely form a basic understanding of your network from that information. If your SE if leaving detailed account notes they may also know that you have a 7000 series as your primary firewall, 3200s seperating building, and 220s segmenting departments. There can be a lot of design information in your customer profile.

What they shouldn't have been able to do is pull any WildFire submissions using what they have access to as a partner. This is the section that concerns me and one that you should investigate with your SE and account manager. A partner should neve recieve access to your WildFire enviroment if you have no working relationship with them.

Re: PaloAlto Networks Discloses Confidential Security Information to Third Parties w/o customer cons

pulukas — Sat, 28 Apr 2018 16:27:48 GMT

As I said, I can't comment on the specifics of the situation because I don't have the details and am not a PAN or partner employee so also don't know the procedures.

But I would start by assuming everyone is above board and asking the what/where/why of the account team as I mentioned. In other words give people the benefit of the doubt as you gather more information to make a fully informed judgement.

Re: PaloAlto Networks Discloses Confidential Security Information to Third Parties w/o customer cons

JohnWade — Wed, 02 May 2018 13:41:28 GMT

Well, I am following up with Legal and our sales team. It sure doesn't seem right to me.