User error: Businesses expose 1.5bn sensitive files

Exposed confidential information is roughly 4,000 times larger than the Panama Papers leak

More than 1.5 billion sensitive corporate and consumer files, including payroll details and intellectual property data, are publicly exposed, according to cybersecurity company Digital Shadows.

Researchers at the firm detected files amounting to 12,000 terabytes of data hosted across Amazon Web Services (AWS) S3 buckets, rsync sites, server message block (SMB) and file transfer protocol (FTP) servers, Misconfigured Websites (WebIndex), and web-connected NAS drives as publicly accessible over the first three months of 2018, detailing their findings in a report titled Too Much Information.

For scale, the volume of data is roughly 4,000 times the size of 2016's Panama Papers leak.

The files are mostly stored in storage drives or buckets that are unencrypted and open to the public, meaning anyone with the correct URL address could access these documents, despite many containing people's personal information, something the EU's GDPR data protection legislation will be able to punish with huge potential fines when the rules come into force next month.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Digital Shadows CISO Rick Holland said: "The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organisation. In addition, with GDPR fast-approaching, there are clear regulatory implications for any organisation with EU citizen data."

Following numerous high profile breaches from companies mistakenly storing private information in public S3 buckets, AWS introduced the option to enable default encryption for its cloud storage last November. But as recently as February, FedEx locked down an unsecure S3 server following the exposure of data belonging to more than 119,000 citizens from around the world. And Digital Shadows found S3 buckets still accounted for 6.5% of the exposed data it discovered this year. 

But at 33%, most of the exposed files were found on unencrypted SMB servers; followed by those stored on file-sync rsync sites (28%) and transferred using FTP servers (26%). Payroll (707,960) and tax return (64,048) files were the most commonly exposed employee data.

Moreover, Digital Shadows found a significant portion of intellectual property data at risk, with the cybersecurity company discovering, for example, a patent summary for renewable energy in a document marked "strictly confidential".

On another instance a document containing proprietary source code submitted as part of a copyright application was found; including code outlining the design and workflow of a site providing software Electronic Medical Records (EMR), as well as details of the application.

Confidential information on members of the public also appeared, with 14,687 files listing people's contact information and 4,548 documents identifying healthcare patients, as well as files including transactional information, and some credit card data exposed.

Advertisement - Article continues below

"While we often hyper-focus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren't focusing on our external digital footprints and the data that is already publicly available via misconfigured servers," Holland said.

US firms had the highest number of leaked files, accounting for more than 239 million (16.3%), while the European Union as a whole made up more than 537 million files (36.5%). More than 64 million files were found to be exposed in the UK, while Germany and France together amassed more than 238 million exposed files.

Digital Shadows urged organisations to increase user training and awareness to combat the issue in the long term, but the report also mentioned tips to ensure organisations mitigate their risk to inadvertent exposure.

For users of FTP and SMB servers and rsync sites, Digital Shadows recommended the use of a password, and disabling guest or anonymous access, while firewalling the port off from the internet, and whitelisting the IPs permitted to access the resource.

Advertisement
Advertisement - Article continues below

Although S3 buckets can be encrypted by default, Digital Shadows recommends AWS users understand how to do so, while Misconfigured Websites (WebIndex) users are advised to disable directory listings unless required, and NAS drive users can add a password and disable guest or anonymous access, as well as opt for NAS devices that are secured by default.

Picture credit: Bigstock

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now
Advertisement

Recommended

Visit/government-it-strategy/28305/ir35-news
Policy & legislation

Businesses urged to continue IR35 preparations despite Conservative review pledge

3 Dec 2019
Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
Visit/wifi-hotspots/31488/how-to-boost-your-business-wi-fi
wifi & hotspots

How to boost your business Wi-Fi

22 Oct 2019
Visit/strategy/28223/cio-job-description-what-does-a-cio-do
Business strategy

CIO job description: What does a CIO do?

1 Oct 2019

Most Popular

Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/hardware/354193/buy-it-to-grow-not-slow-your-business
Sponsored

Buy IT to grow, not slow, your business

25 Nov 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/security/antivirus/354328/microsoft-to-scrap-security-essentials-when-windows-7-reaches-end-of-life
antivirus

Microsoft to scrap Security Essentials when Windows 7 reaches end-of-life

13 Dec 2019