User error: Businesses expose 1.5bn sensitive files

Exposed confidential information is roughly 4,000 times larger than the Panama Papers leak

More than 1.5 billion sensitive corporate and consumer files, including payroll details and intellectual property data, are publicly exposed, according to cybersecurity company Digital Shadows.

Researchers at the firm detected files amounting to 12,000 terabytes of data hosted across Amazon Web Services (AWS) S3 buckets, rsync sites, server message block (SMB) and file transfer protocol (FTP) servers, Misconfigured Websites (WebIndex), and web-connected NAS drives as publicly accessible over the first three months of 2018, detailing their findings in a report titled Too Much Information.

For scale, the volume of data is roughly 4,000 times the size of 2016's Panama Papers leak.

The files are mostly stored in storage drives or buckets that are unencrypted and open to the public, meaning anyone with the correct URL address could access these documents, despite many containing people's personal information, something the EU's GDPR data protection legislation will be able to punish with huge potential fines when the rules come into force next month.

Digital Shadows CISO Rick Holland said: "The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organisation. In addition, with GDPR fast-approaching, there are clear regulatory implications for any organisation with EU citizen data."

Following numerous high profile breaches from companies mistakenly storing private information in public S3 buckets, AWS introduced the option to enable default encryption for its cloud storage last November. But as recently as February, FedEx locked down an unsecure S3 server following the exposure of data belonging to more than 119,000 citizens from around the world. And Digital Shadows found S3 buckets still accounted for 6.5% of the exposed data it discovered this year. 

But at 33%, most of the exposed files were found on unencrypted SMB servers; followed by those stored on file-sync rsync sites (28%) and transferred using FTP servers (26%). Payroll (707,960) and tax return (64,048) files were the most commonly exposed employee data.

Moreover, Digital Shadows found a significant portion of intellectual property data at risk, with the cybersecurity company discovering, for example, a patent summary for renewable energy in a document marked "strictly confidential".

On another instance a document containing proprietary source code submitted as part of a copyright application was found; including code outlining the design and workflow of a site providing software Electronic Medical Records (EMR), as well as details of the application.

Confidential information on members of the public also appeared, with 14,687 files listing people's contact information and 4,548 documents identifying healthcare patients, as well as files including transactional information, and some credit card data exposed.

"While we often hyper-focus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren't focusing on our external digital footprints and the data that is already publicly available via misconfigured servers," Holland said.

US firms had the highest number of leaked files, accounting for more than 239 million (16.3%), while the European Union as a whole made up more than 537 million files (36.5%). More than 64 million files were found to be exposed in the UK, while Germany and France together amassed more than 238 million exposed files.

Digital Shadows urged organisations to increase user training and awareness to combat the issue in the long term, but the report also mentioned tips to ensure organisations mitigate their risk to inadvertent exposure.

For users of FTP and SMB servers and rsync sites, Digital Shadows recommended the use of a password, and disabling guest or anonymous access, while firewalling the port off from the internet, and whitelisting the IPs permitted to access the resource.

Although S3 buckets can be encrypted by default, Digital Shadows recommends AWS users understand how to do so, while Misconfigured Websites (WebIndex) users are advised to disable directory listings unless required, and NAS drive users can add a password and disable guest or anonymous access, as well as opt for NAS devices that are secured by default.

Picture credit: Bigstock

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

What does a CISO do?
Careers & training

What does a CISO do?

6 Sep 2021
CTO job description: What does a CTO do?
Business strategy

CTO job description: What does a CTO do?

26 Aug 2021
Pharma transactions during the COVID-19 pandemic
Whitepaper

Pharma transactions during the COVID-19 pandemic

23 Aug 2021
Renewable energy: What works and what's on the way?
Whitepaper

Renewable energy: What works and what's on the way?

23 Aug 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
The technology powering the future of shopping
Technology

The technology powering the future of shopping

16 Sep 2021