Story image

1.5 billion confidential data files publicly available - that's more than 12 petabytes of data

06 Apr 18

Credit card data, medical records, payroll data, intellectual property and tax information are all available publicly online with no data protection whatsoever – and the scale of the problem is huge.

UK-based security firm Digital Shadows detected more than 1.5 billion publicly available files across the internet in the first three months of 2018 – accounting for more than 12 petabytes of exposed data.

What is causing such a large amount of exposed data? Third parties and contractors were the most common sources of sensitive data exposure.

“A shocking amount of security assessment and penetration tests was discovered. In addition, Digital Shadows identified consumer back up devices that were misconfigured to be Internet-facing and inadvertently making private information public.”

Most of the exposed files were stored across Amazon Simple Storage Service (S3) buckets, File Transfer Protocol (FTP) servers, misconfigured websites, Network Attached Storage (NAS) drives, rsync and Server Message Block (SMB) servers.

While AWS’ S3 servers have gained attention for being insecurely misconfigured, they were not the most insecure locations in Digital Shadows’ study.

Older technologies that are widely used were more likely to be exposed. 33% of exposed data came from SMB, 28% came from rsync and 26% came from FTP. Only 7% of exposed data came from S3 buckets.

“While we often hyperfocus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren’t focusing on our external digital footprints and the data that is already publicly available via misconfigured services,” comments Digital Shadows chief information security officer Rick Holland.

Those insecure locations are exposing a number of different types of data. Payroll and tax return files accounted for 700,000 and 60,000 files respectively – the two most common forms of exposed data.

There were also 14,687 cases of leaked contact information, and 4548 patient lists.

“The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organisation,” Holland says.

Intellectual property was also left sitting publicly exposed on many servers – even though it is amongst the most precious data organisations can control, according to Digital Shadows.

In one case, Digital Shadows discovered a ‘strictly confidential’ patent summary for renewable energy. In another case, a document with proprietary source code as part of a copyright application was also exposed.

“This file included the code that outlined the design and workflow of a site providing software Electronic Medical Records (EMR), as well as details about the copyright application,” Digital Shadows says.

Holland says this is a timely warning for organisations that must comply with breach notification and data privacy laws, such as the European Union’s GDPR.

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.