User error: Businesses expose 1.5bn sensitive files

breach

More than 1.5 billion sensitive corporate and consumer files, including payroll details and intellectual property data, are publicly exposed, according to cybersecurity company Digital Shadows.

Researchers at the firm detected files amounting to 12,000 terabytes of data hosted across Amazon Web Services (AWS) S3 buckets, rsync sites, server message block (SMB) and file transfer protocol (FTP) servers, Misconfigured Websites (WebIndex), and web-connected NAS drives as publicly accessible over the first three months of 2018, detailing their findings in a report titled Too Much Information.

For scale, the volume of data is roughly 4,000 times the size of 2016's Panama Papers leak.

The files are mostly stored in storage drives or buckets that are unencrypted and open to the public, meaning anyone with the correct URL address could access these documents, despite many containing people's personal information, something the EU's GDPR data protection legislation will be able to punish with huge potential fines when the rules come into force next month.

Digital Shadows CISO Rick Holland said: "The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organisation. In addition, with GDPR fast-approaching, there are clear regulatory implications for any organisation with EU citizen data."

Following numerous high profile breaches from companies mistakenly storing private information in public S3 buckets, AWS introduced the option to enable default encryption for its cloud storage last November. But as recently as February, FedEx locked down an unsecure S3 server following the exposure of data belonging to more than 119,000 citizens from around the world. And Digital Shadows found S3 buckets still accounted for 6.5% of the exposed data it discovered this year.

But at 33%, most of the exposed files were found on unencrypted SMB servers; followed by those stored on file-sync rsync sites (28%) and transferred using FTP servers (26%). Payroll (707,960) and tax return (64,048) files were the most commonly exposed employee data.

Moreover, Digital Shadows found a significant portion of intellectual property data at risk, with the cybersecurity company discovering, for example, a patent summary for renewable energy in a document marked "strictly confidential".

On another instance a document containing proprietary source code submitted as part of a copyright application was found; including code outlining the design and workflow of a site providing software Electronic Medical Records (EMR), as well as details of the application.

Confidential information on members of the public also appeared, with 14,687 files listing people's contact information and 4,548 documents identifying healthcare patients, as well as files including transactional information, and some credit card data exposed.

"While we often hyper-focus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren't focusing on our external digital footprints and the data that is already publicly available via misconfigured servers," Holland said.

US firms had the highest number of leaked files, accounting for more than 239 million (16.3%), while the European Union as a whole made up more than 537 million files (36.5%). More than 64 million files were found to be exposed in the UK, while Germany and France together amassed more than 238 million exposed files.

Digital Shadows urged organisations to increase user training and awareness to combat the issue in the long term, but the report also mentioned tips to ensure organisations mitigate their risk to inadvertent exposure.

For users of FTP and SMB servers and rsync sites, Digital Shadows recommended the use of a password, and disabling guest or anonymous access, while firewalling the port off from the internet, and whitelisting the IPs permitted to access the resource.

Although S3 buckets can be encrypted by default, Digital Shadows recommends AWS users understand how to do so, while Misconfigured Websites (WebIndex) users are advised to disable directory listings unless required, and NAS drive users can add a password and disable guest or anonymous access, as well as opt for NAS devices that are secured by default.

Picture credit: Bigstock

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.