Rampant Misconfigurations Expose 1.5 Billion Sensitive Corporate Files
More than 1.5 billion sensitive corporate and other files are visible on the public internet due to human error.
Analysis from security firm Digital Shadows showed legions of misconfigured Amazon Web Services S3 buckets, which is the most high-profile issue; however, these make up a fraction of the leakage, accounting for just 7% of exposed data.
The bigger problems are misconfigured network attached storage (NAS) devices, FTP servers and a host of other common tools that people use to back up, sync and share files. Old-school protocols and platforms like Server Message Block (SMB) (33% of visible files), rsync (28%) and FTP servers (26%) expose the vast majority of data.
The exposed files are a gold mine for criminals. The most common data exposed was payroll and tax return files, which accounted for 700,000 and 60,000 files, respectively. However, consumers are also at risk from the exposure of 14,687 incidents of leaked contact information and 4,548 patient lists. In one instance, a large amount of point-of-sale terminal data, which included transactions, times, places and some credit-card data, was found to be publicly available.
Of all the data an organization seeks to control, intellectual property (IP) is among the most precious. Digital Shadows detected many occurrences of this confidential information. For example, a patent summary for renewable energy in a document marked as “strictly confidential” was discovered. Another example includes a document containing proprietary source code that was submitted as part of a copyright application. This file included the code that outlined the design and workflow of a site providing software electronic medical records (EMRs), as well as details about the copyright application.
The volume of exposed data in the study totaled 12 petabytes (12,000 terabytes). For context that's 4,000 times the size of the Panama Papers leak.
Many of the visible file caches appear to result from business partners and contractors improperly securing shared and backup copies of files. A shocking amount of security assessment and penetration tests was discovered, for instance. In addition, Digital Shadows identified consumer back-up devices that were misconfigured to be Internet-facing and inadvertently making private information public.
“While we often hyperfocus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren’t focusing on our external digital footprints and the data that is already publicly available via misconfigured services,” said Rick Holland, CISO at Digital Shadows.
Worryingly, Digital Shadows found that there are numerous EU/cross-border dimensions to the data, making it a rare illustration of General Data Protection Regulation (GDPR) consequences set to hit in May, if companies do not react in time.
Holland added, “The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organization. In addition, with GDPR fast approaching, there are clear regulatory implications for any organization with EU citizen data.”
Source: Information Security Magazine