How Secure Is Your Private and Corporate Information with Slack?

Smartphone with Slack app and chat bubbles

Slack is a great tool for staying in touch with people on a team. Whether that be a sports team, your video game squad, or your team at work. Many people use the platform for sending and receiving sensitive company information. Some use it for personal messages that they do not want publicized. Before sending that next message on Slack it might be a good idea to read on. Do you know how secure your information is on the platform? Are you sure you want to use Slack to transfer sensitive information. Below you will be able to find out how safe Slack truely is.

Privacy Concerns and Slack

slack logo

Privacy concerns are at the top of everyone’s mind these days. From the Facebook scandal with Cambridge Analytica, to concerns over government snooping, it truely is everywhere. Wherever you place your information online, you must be concerned with how private that information will remain.

Privacy concerns are heightened for extremely sensitive information that is exchanged at work between coworkers. Whether you use your Slack channel to talk about clients or you share critical information that could give the competition an advantage, you want to know your information is secure.

Slack and Government Information Demands

Slack’s privacy notices updated May of 2017 spell out how the company handles requests for information from government authorities. Slack states they do not voluntarily disclose information to governments. However, they will comply with requests by “courts, government agencies, or parties involved in litigation.” This means that the company does keep information and will disclose the information if compelled to by law.

It is important to recognize that third description, “parties involved in litigation.” This means that if a competitor sues you or your company, they may ask the court to compel Slack to turn over the information contained in your Slack channels. This might include critical information you would not want your competitor to gain access to.

How likely is this nightmare scenario to happen? According to Slack’s transparency report, between November 1, 2017 and April 30, 2018, Slack received a total of 14 requests for information from government authorities. Four of these requests resulted in no information disclosed. Six, resulted in only non-content data disclosure. The final four resulted in content and non-content data disclosure. Content data includes public and private messages, posts, direct messages, and files.

While this is a relatively small number of disclosures, the number has grown significantly. As Slack use becomes more common in businesses, this will likely continue to rise. Moreover, the implications for a company can be huge.

Slack’s Vulnerability to Hackers

As Slack has grown in popularity and has become an attractive target to hackers. In 2014 hackers exploited a vulnerability in Slack that allowed unauthorized personnel to gain access to a company’s Slack teams. In, 2015, the company was hacked again in an incident Slack describes as a security breach.

Slack also offers a bounty to anyone reporting a bug to the company. Over the years, this has resulted in several key vulnerabilities being reported to them. One such bug would have allowed unauthorized users access to all the team’s information. Slack was able to fix these before anyone could exploit them.

Perhaps more common is the ability of malicious users to deceive a company’s IT department to gain access to company email and their Slack channels. This is harder to fight against in medium sized companies that are too large for the IT department to know everyone by name. Many companies simply lack the resources to ensure everyone follows appropriate security policies. If information security is not a top priority in the company, a moderately sophisticated user can potentially gain access to your Slack team and all your channels.

Slack Privacy for Individual Users

Slack-picture-homepageFrom an employee standpoint, you may be less concerned with how vulnerable your company’s information is, and more concerned with how private your personal information is on Slack. In fact, if you use Slack as part of your company’s team, it is likely your boss or their boss has access to every post, even direct messages, that you send.

This is easy to check. From your profile, click on ‘Account Settings’ and then click ‘Workspace Settings’. Check the ‘Team Settings’ page. Finally look for the checkmark next to “compliance reports” for your team.This allows the workspace owner to download a compliance report. This report contains every bit of information from the team that passes through Slack.

Many companies that must maintain transparency for legal or business reasons use the compliance reports feature to cover the company’s legal bases. However, if the company suspects an employee is doing something wrong, an administrator can easily pull a report. This report will reveal every DM you sent to your co-worker disparaging your boss, the DM you sent your friend about calling in sick next Friday, and everything else you’ve done in Slack.

If your company does not currently enable compliance reports, you may still worry about the future. If your company changes the setting, you should receive a Slackbot notice informing you of the change. Also, your message history prior to turning on compliance reports will not be available in the report.

Act Now to Secure Your Privacy

What can you do to protect private information from becoming public either through government compulsion, a hacker gaining access to your account, or your boss pulling a compliance report? The best advice is to keep extremely sensitive information off Slack entirely. Consequently, you help to protect the information from government requests and potentially from hackers as well.

If you go this route, make sure investing in information security is a top priority for your company. Moreover, ensure everyone with access to secure information follows security policies. Running a security audit on a regular basis will help ensure everyone is held up-to-date on information security procedures and is following through appropriately.

Check to see if your team enables compliance reports. If it is not, you may have less to worry about from your boss reading that mocking DM you sent. However, there’s always the possibility that you sent it to the wrong person by accident. A good rule of thumb is to always assume anything in print can become public. It may be a good idea to keep those comments to yourself or save them for when you get together after work.

Tech journalist
Tove has been working for VPNoverview since 2017 as a journalist covering cybersecurity and privacy developments. She has broad experience developing rigorous VPN testing procedures and protocols for our VPN review section and has tested dozens of VPNs over the years.