The AI Supply Chain Attack: A Growing Threat to Customer Experience Platforms

Customer experience (CX) platforms, once perceived as simple survey tools, are now sophisticated engines processing billions of unstructured interactions annually. These interactions, encompassing everything from customer survey forms and online reviews to social media feeds and call center transcripts, are fed into powerful AI engines. These AI systems, in turn, trigger automated workflows that directly impact critical business operations like payroll, customer relationship management (CRM), and payment systems. However, a significant vulnerability has emerged: security operation center (SOC) leaders lack the tools to inspect the data ingested by these CX platform AI engines. This blind spot has been exploited by attackers who "poison" the data, effectively turning the AI against the organization it’s meant to serve.

The stark reality of this threat was vividly demonstrated by the August 2025 Salesloft/Drift breach. In this incident, attackers successfully compromised Salesloft’s GitHub environment, a repository for software development code. From there, they pilfered Drift chatbot OAuth tokens, highly sensitive credentials that grant access to various applications. This compromise allowed them to gain unauthorized access to the Salesforce environments of over 700 organizations, including prominent tech giants like Cloudflare, Palo Alto Networks, and Zscaler. The attackers then meticulously scanned the exfiltrated data, specifically searching for high-value assets such as AWS keys, Snowflake tokens, and plaintext passwords. Alarmingly, this sophisticated attack achieved its objectives without deploying any traditional malware, highlighting a shift towards more insidious, data-centric exploitation methods.

This critical gap in security oversight is far wider than most security leaders acknowledge. According to Proofpoint’s 2025 Voice of the CISO report, which surveyed 1,600 CISOs across 16 countries, a staggering 98% of organizations claim to have a data loss prevention (DLP) program in place. However, the report reveals a disheartening statistic: only a mere 6% of these organizations have dedicated resources to support their DLP efforts. This lack of investment leaves existing programs largely ineffective. Further compounding the issue, CrowdStrike’s 2025 Threat Hunting Report indicates that 81% of interactive intrusions now leverage legitimate access credentials rather than malware. This trend is particularly pronounced in cloud environments, where intrusions surged by an alarming 136% in the first half of 2025, underscoring the growing reliance on compromised credentials and insider threats.

Assaf Keren, Chief Security Officer at Qualtrics and former CISO at PayPal, articulated this critical misperception in a recent interview with VentureBeat. "Most security teams still classify experience management platforms as ‘survey tools,’ which sit in the same risk tier as a project management app," Keren stated. "This is a massive miscategorization. These platforms now connect to HRIS, CRM, and compensation engines." He emphasized the sheer scale of data processed by these platforms, noting that Qualtrics alone handles 3.5 billion interactions annually, a figure that has doubled since 2023. This exponential growth in data volume, coupled with the increasing integration into core business systems, means that organizations "can’t afford to skip steps on input integrity once AI enters the workflow."

In response to this escalating threat landscape, VentureBeat conducted an in-depth investigation, spending several weeks interviewing security leaders who are actively working to bridge this critical gap. Through these conversations, six pervasive control failures emerged consistently, creating a significant vulnerability between the traditional security stack and the AI engines of CX platforms.

Six Blind Spots Exposing the AI Supply Chain:

1. DLP’s Inability to Detect Unstructured Sentiment Data: Current Data Loss Prevention (DLP) policies are primarily designed to identify and flag structured Personally Identifiable Information (PII) such as names, email addresses, and payment card details. However, the open-text responses generated within CX platforms often contain highly sensitive, unstructured data. This includes details about salary complaints, personal health disclosures, and candid executive criticisms. These types of data do not conform to standard PII patterns, rendering them invisible to traditional DLP mechanisms. When a third-party AI tool accesses and exports this data, the transaction is often logged as a routine API call, bypassing DLP alerts entirely.

2. Lingering Zombie API Tokens: A common and dangerous oversight involves the management of API tokens. For instance, a marketing campaign that concluded six months ago might have utilized OAuth tokens to connect the CX platform to vital systems like HRIS, CRM, and payment gateways. If these tokens were never revoked upon the campaign’s completion, they remain active and represent a significant lateral movement pathway for attackers. Patrick Opet, CISO at JPMorgan Chase, highlighted this risk in his April 2025 open letter to suppliers. He warned that "SaaS integration models create ‘single-factor explicit trust between systems’ through tokens ‘inadequately secured… vulnerable to theft and reuse.’"

3. Lack of Bot Mitigation for Public Input Channels: While web application firewalls (WAFs) are designed to inspect HTTP payloads for web applications, this security coverage does not extend to public-facing input channels that feed CX platforms. This means that fraudulent sentiment, malicious reviews submitted to platforms like Trustpilot or Google Maps, or malicious open-text survey responses are ingested as legitimate input without any prior inspection. Security leaders and vendors interviewed by VentureBeat confirmed that a dedicated category for monitoring input channel integrity for public data sources feeding CX AI engines does not yet exist.

4. Lateral Movement via Approved API Calls: Adversaries are increasingly bypassing traditional perimeter defenses by leveraging legitimate credentials. Daniel Bernard, Chief Business Officer at CrowdStrike, explained to VentureBeat, "Adversaries aren’t breaking in, they’re logging in. It’s a valid login. So from a third-party ISV perspective, you have a sign-in page, you have two-factor authentication. What else do you want from us?" Once inside, attackers can initiate data exfiltration that appears as normal activity to standard security monitoring tools. Bernard described scenarios where "terabytes of data are being exported out. It’s non-standard usage. It’s going places where this user doesn’t go before." A Security Information and Event Management (SIEM) system might register a successful authentication, but it lacks the visibility to detect this anomalous behavioral shift. Without "software posture management" specifically tailored for CX platforms, lateral movement often occurs through connections that security teams have already approved.

5. Unreviewed Admin Privileges Held by Non-Technical Users: The configuration of CX integrations is frequently handled by marketing, HR, and customer success teams who prioritize speed and ease of use. Consequently, these critical integrations and the associated administrative privileges may go unnoticed by the SOC. Keren advocates for security to act as an enabler, preventing teams from circumventing security protocols. Organizations that cannot produce a comprehensive and up-to-date inventory of all CX platform integrations and their administrative credentials are at risk of significant "shadow admin" exposure.

6. Open-Text Feedback Stored Before PII Masking: Employee surveys often capture sensitive information, including complaints about managers by name, salary grievances, and health disclosures. Similarly, customer feedback can expose account details, purchase history, and sensitive service dispute information. Because this information arrives as free-text, it bypasses structured PII classifiers. If a breach occurs, attackers gain access to unmasked personal information, directly linked to the lateral movement pathways that led to the compromise.

The confluence of these six failures points to a fundamental problem: while SaaS security posture management (SSPM) has significantly matured for enterprise platforms like Salesforce and ServiceNow, CX platforms have been largely overlooked. There is a critical lack of continuous monitoring for user activity, permissions, and configurations within experience management platforms. Furthermore, policy enforcement for AI workflows processing this sensitive data is virtually nonexistent. As a result, bot-driven input or anomalous data exports hitting the CX application layer often go undetected.

In response, security teams are attempting to adapt with their existing toolsets. Some are extending SSPM tools to cover CX platform configurations and permissions. API security gateways are being deployed to inspect token scopes and data flows between CX platforms and downstream systems. Identity-centric security teams are implementing Cloud Access Security Broker (CASB)-style access controls for CX administrative accounts. However, these approaches fall short of addressing the unique demands of CX-layer security. They fail to provide continuous monitoring of who is accessing experience data, real-time visibility into misconfigurations before they become attack vectors, and automated protection that enforces policy dynamically rather than through periodic reviews.

A nascent but crucial development is the emergence of integrations purpose-built to address this gap. These solutions aim to connect posture management directly to the CX layer, offering security teams the same level of oversight over program activity, configurations, and data access that they expect for more established enterprise platforms. The partnership between CrowdStrike’s Falcon Shield and the Qualtrics XM Platform represents one such effort, providing security leaders with the comprehensive coverage they have been manually cobbling together and losing sleep over.

Beyond the technical ramifications, a significant aspect of this threat that is often overlooked is the "business blast radius." As Keren points out, "But not the business blast radius." When an AI engine, fed with poisoned data, triggers an incorrect compensation adjustment or a flawed business decision, the damage extends far beyond a typical security incident. It represents a critical business error executed at machine speed, creating a chasm between the CISO, the CIO, and the business unit owners. Currently, no single entity has clear ownership of this emergent risk.

"When we use data to make business decisions, that data must be right," Keren emphatically states. The path forward begins with a thorough audit, starting with the identification and remediation of dormant "zombie tokens." These are often the initial entry points for breaches of the scale seen with Salesloft and Drift. A 30-day validation window for token activity is a prudent starting point, as the speed of AI-driven operations means that vulnerabilities cannot be left unaddressed. The AI will not wait for a manual review cycle.