Oracle NetSuite’s SuiteCommerce ERP Platform Exposes Sensitive Customer Data

A widespread misconfiguration in Oracle NetSuite’s SuiteCommerce enterprise resource planning (ERP) platform has put sensitive customer data at risk on thousands of websites, according to security firm AppOmni. The issue arises from misconfigured access controls on custom record types (CRTs), allowing unauthorized access to customer records containing personal addresses and phone numbers.

AppOmni’s chief of SaaS security research, Aaron Costello, highlighted the significant scale of businesses leaking such sensitive data due to misconfigurations. The problem primarily affects externally facing stores on NetSuite’s SuiteCommerce platform, enabling unauthorized individuals to query sensitive information without authentication through URL manipulation.

While NetSuite has urged customers to review and enhance their security settings, many businesses may be unaware of their sites leaking data or being targeted. Costello emphasized the need for more education on implementing robust SaaS security programs to tackle both known and unknown risks.

The incident underscores a broader trend of rising cybersecurity challenges in SaaS environments, with recent attacks on customer accounts hosted on platforms like Snowflake. Traditional defense strategies, such as the Lockheed Martin cyber kill chain, are being reevaluated in light of the altered attack surface in SaaS.

As threat actors target enterprise data within SaaS applications, organizations must adapt their defenses and assess access controls at a granular level to protect sensitive information. With the growing complexity of SaaS functionality, addressing these risks requires a proactive and informed approach to cybersecurity.