More than 1.5 billion sensitive corporate and consumer files, including payroll details and intellectual property data, are publicly exposed, according to cybersecurity company Digital Shadows.
Researchers at the firm detected files amounting to 12,000 terabytes of data hosted across Amazon Web Services (AWS) S3 buckets, rsync sites, server message block (SMB) and file transfer protocol (FTP) servers, Misconfigured Websites (WebIndex), and web-connected NAS drives as publicly accessible over the first three months of 2018, detailing their findings in a report titled Too Much Information.
For scale, the volume of data is roughly 4,000 times the size of 2016's Panama Papers leak.
The files are mostly stored in storage drives or buckets that are unencrypted and open to the public, meaning anyone with the correct URL address could access these documents, despite many containing people's personal information, something the EU's GDPR data protection legislation will be able to punish with huge potential fines when the rules come into force next month.
Digital Shadows CISO Rick Holland said: "The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organisation. In addition, with GDPR fast-approaching, there are clear regulatory implications for any organisation with EU citizen data."
Following numerous high profile breaches from companies mistakenly storing private information in public S3 buckets, AWS introduced the option to enable default encryption for its cloud storage last November. But as recently as February, FedEx locked down an unsecure S3 server following the exposure of data belonging to more than 119,000 citizens from around the world. And Digital Shadows found S3 buckets still accounted for 6.5% of the exposed data it discovered this year.
But at 33%, most of the exposed files were found on unencrypted SMB servers; followed by those stored on file-sync rsync sites (28%) and transferred using FTP servers (26%). Payroll (707,960) and tax return (64,048) files were the most commonly exposed employee data.
Moreover, Digital Shadows found a significant portion of intellectual property data at risk, with the cybersecurity company discovering, for example, a patent summary for renewable energy in a document marked "strictly confidential".
On another instance a document containing proprietary source code submitted as part of a copyright application was found; including code outlining the design and workflow of a site providing software Electronic Medical Records (EMR), as well as details of the application.
Confidential information on members of the public also appeared, with 14,687 files listing people's contact information and 4,548 documents identifying healthcare patients, as well as files including transactional information, and some credit card data exposed.
"While we often hyper-focus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren't focusing on our external digital footprints and the data that is already publicly available via misconfigured servers," Holland said.
US firms had the highest number of leaked files, accounting for more than 239 million (16.3%), while the European Union as a whole made up more than 537 million files (36.5%). More than 64 million files were found to be exposed in the UK, while Germany and France together amassed more than 238 million exposed files.
Digital Shadows urged organisations to increase user training and awareness to combat the issue in the long term, but the report also mentioned tips to ensure organisations mitigate their risk to inadvertent exposure.
For users of FTP and SMB servers and rsync sites, Digital Shadows recommended the use of a password, and disabling guest or anonymous access, while firewalling the port off from the internet, and whitelisting the IPs permitted to access the resource.
Although S3 buckets can be encrypted by default, Digital Shadows recommends AWS users understand how to do so, while Misconfigured Websites (WebIndex) users are advised to disable directory listings unless required, and NAS drive users can add a password and disable guest or anonymous access, as well as opt for NAS devices that are secured by default.
Picture credit: Bigstock
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
The UK government wants quantum technology out of the lab and in the hands of enterprisesNews The UK government has unveiled plans to invest £121 million in quantum computing projects in an effort to drive real-world applications and adoption rates.
-
Hackers are turning Amazon S3 bucket encryption against customers in new ransomware campaign – and they’ve already claimed two victimsNews Attackers are using AWS’ server-side encryption to conduct ransomware attacks
-
Sennheiser exposed personal data of 28,000 customers with leaky S3 bucketNews Server containing full names, email addresses, phone numbers, and supplier information was left open to the public for three years
-
Printing company exposes 343GB of sensitive military dataNews The leak is the latest in a series of data blunders discovered by vpnMentor's web-mapping project
-
‘Huge’ data leak exposes British consultancy firms and thousands of consultantsNews Leaky S3 buckets held sensitive information including passport scans, personal details and financial documents
-
Our 5-minute guide to Managed File TransferIn-depth The ins and outs of MFT: What it is and why it surpasses the competition
-
Vodafone, Ford potentially targeted by Capital One hackerNews Slack messages reveal data breach could be far worse than previously thought
-
Thousands of sites fall to Magecart 'spray and pray' attackNews In another case of misconfigured Amazon S3 buckets, attackers will likely make a decent ROI despite low success rate
-
Most CEOs steal IP from previous employersNews Emotionally-driven decisions put companies at risk, finds security report
