sb-eu logo
Story image

1.5 billion confidential data files publicly available - that's more than 12 petabytes of data

06 Apr 2018

Credit card data, medical records, payroll data, intellectual property and tax information are all available publicly online with no data protection whatsoever – and the scale of the problem is huge.

UK-based security firm Digital Shadows detected more than 1.5 billion publicly available files across the internet in the first three months of 2018 – accounting for more than 12 petabytes of exposed data.

What is causing such a large amount of exposed data? Third parties and contractors were the most common sources of sensitive data exposure.

“A shocking amount of security assessment and penetration tests was discovered. In addition, Digital Shadows identified consumer back up devices that were misconfigured to be Internet-facing and inadvertently making private information public.”

Most of the exposed files were stored across Amazon Simple Storage Service (S3) buckets, File Transfer Protocol (FTP) servers, misconfigured websites, Network Attached Storage (NAS) drives, rsync and Server Message Block (SMB) servers.

While AWS’ S3 servers have gained attention for being insecurely misconfigured, they were not the most insecure locations in Digital Shadows’ study.

Older technologies that are widely used were more likely to be exposed. 33% of exposed data came from SMB, 28% came from rsync and 26% came from FTP. Only 7% of exposed data came from S3 buckets.

“While we often hyperfocus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren’t focusing on our external digital footprints and the data that is already publicly available via misconfigured services,” comments Digital Shadows chief information security officer Rick Holland.

Those insecure locations are exposing a number of different types of data. Payroll and tax return files accounted for 700,000 and 60,000 files respectively – the two most common forms of exposed data.

There were also 14,687 cases of leaked contact information, and 4548 patient lists.

“The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organisation,” Holland says.

Intellectual property was also left sitting publicly exposed on many servers – even though it is amongst the most precious data organisations can control, according to Digital Shadows.

In one case, Digital Shadows discovered a ‘strictly confidential’ patent summary for renewable energy. In another case, a document with proprietary source code as part of a copyright application was also exposed.

“This file included the code that outlined the design and workflow of a site providing software Electronic Medical Records (EMR), as well as details about the copyright application,” Digital Shadows says.

Holland says this is a timely warning for organisations that must comply with breach notification and data privacy laws, such as the European Union’s GDPR.

Story image
Ivanti extends ESM automation capabilities with latest additions
Ivanti has made additions to its Enterprise Service Management (ESM) portfolio, with greater automation capabilities between service management and SecOps. More
Story image
New CompTIA cybersecurity skills certification available worldwide
Private sector business and defense organisations alike rely on CompTIA Security+ to build cybersecurity skills among their frontline cyber defenders.More
Story image
How a vantage point sees threats before they impact
When the focus has been on adversaries that develop increasingly complex and sophisticated attacks, tried and true techniques such as compromised credentials continue to be amongst the most potent weapons.More
Story image
Cyber-attackers target COVID-19 vaccine supply chain in sweeping phishing campaign
IBM’s Security X-Force, a task force created in the early days of the pandemic with an aim to combat cyber-attacks related to potential vaccines’ supply chains, released details on a coordinated effort to disrupt the COVID-19 ‘cold chain’.More
Story image
Trend Micro launches cloud native security solution for modern applications and APIs
“Application security is an invaluable part of the Cloud One platform, integrating technology to provide superior protection for customers deploying applications wherever it makes the most sense for them."More
Story image
Financial firms exposing data through mismanaged access controls - Varonis
Almost two-thirds of the analysed firms leave more than 1000 sensitive files open for every employee to access.More