Story image

1.5 billion confidential data files publicly available - that's more than 12 petabytes of data

06 Apr 18

Credit card data, medical records, payroll data, intellectual property and tax information are all available publicly online with no data protection whatsoever – and the scale of the problem is huge.

UK-based security firm Digital Shadows detected more than 1.5 billion publicly available files across the internet in the first three months of 2018 – accounting for more than 12 petabytes of exposed data.

What is causing such a large amount of exposed data? Third parties and contractors were the most common sources of sensitive data exposure.

“A shocking amount of security assessment and penetration tests was discovered. In addition, Digital Shadows identified consumer back up devices that were misconfigured to be Internet-facing and inadvertently making private information public.”

Most of the exposed files were stored across Amazon Simple Storage Service (S3) buckets, File Transfer Protocol (FTP) servers, misconfigured websites, Network Attached Storage (NAS) drives, rsync and Server Message Block (SMB) servers.

While AWS’ S3 servers have gained attention for being insecurely misconfigured, they were not the most insecure locations in Digital Shadows’ study.

Older technologies that are widely used were more likely to be exposed. 33% of exposed data came from SMB, 28% came from rsync and 26% came from FTP. Only 7% of exposed data came from S3 buckets.

“While we often hyperfocus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren’t focusing on our external digital footprints and the data that is already publicly available via misconfigured services,” comments Digital Shadows chief information security officer Rick Holland.

Those insecure locations are exposing a number of different types of data. Payroll and tax return files accounted for 700,000 and 60,000 files respectively – the two most common forms of exposed data.

There were also 14,687 cases of leaked contact information, and 4548 patient lists.

“The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organisation,” Holland says.

Intellectual property was also left sitting publicly exposed on many servers – even though it is amongst the most precious data organisations can control, according to Digital Shadows.

In one case, Digital Shadows discovered a ‘strictly confidential’ patent summary for renewable energy. In another case, a document with proprietary source code as part of a copyright application was also exposed.

“This file included the code that outlined the design and workflow of a site providing software Electronic Medical Records (EMR), as well as details about the copyright application,” Digital Shadows says.

Holland says this is a timely warning for organisations that must comply with breach notification and data privacy laws, such as the European Union’s GDPR.

Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.