Story image

1.5 billion confidential data files publicly available - that's more than 12 petabytes of data

06 Apr 2018

Credit card data, medical records, payroll data, intellectual property and tax information are all available publicly online with no data protection whatsoever – and the scale of the problem is huge.

UK-based security firm Digital Shadows detected more than 1.5 billion publicly available files across the internet in the first three months of 2018 – accounting for more than 12 petabytes of exposed data.

What is causing such a large amount of exposed data? Third parties and contractors were the most common sources of sensitive data exposure.

“A shocking amount of security assessment and penetration tests was discovered. In addition, Digital Shadows identified consumer back up devices that were misconfigured to be Internet-facing and inadvertently making private information public.”

Most of the exposed files were stored across Amazon Simple Storage Service (S3) buckets, File Transfer Protocol (FTP) servers, misconfigured websites, Network Attached Storage (NAS) drives, rsync and Server Message Block (SMB) servers.

While AWS’ S3 servers have gained attention for being insecurely misconfigured, they were not the most insecure locations in Digital Shadows’ study.

Older technologies that are widely used were more likely to be exposed. 33% of exposed data came from SMB, 28% came from rsync and 26% came from FTP. Only 7% of exposed data came from S3 buckets.

“While we often hyperfocus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren’t focusing on our external digital footprints and the data that is already publicly available via misconfigured services,” comments Digital Shadows chief information security officer Rick Holland.

Those insecure locations are exposing a number of different types of data. Payroll and tax return files accounted for 700,000 and 60,000 files respectively – the two most common forms of exposed data.

There were also 14,687 cases of leaked contact information, and 4548 patient lists.

“The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organisation,” Holland says.

Intellectual property was also left sitting publicly exposed on many servers – even though it is amongst the most precious data organisations can control, according to Digital Shadows.

In one case, Digital Shadows discovered a ‘strictly confidential’ patent summary for renewable energy. In another case, a document with proprietary source code as part of a copyright application was also exposed.

“This file included the code that outlined the design and workflow of a site providing software Electronic Medical Records (EMR), as well as details about the copyright application,” Digital Shadows says.

Holland says this is a timely warning for organisations that must comply with breach notification and data privacy laws, such as the European Union’s GDPR.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.