Credit card data, medical records, payroll data, intellectual property and tax information are all available publicly online with no data protection whatsoever – and the scale of the problem is huge.
UK-based security firm Digital Shadows detected more than 1.5 billion publicly available files across the internet in the first three months of 2018 – accounting for more than 12 petabytes of exposed data.
What is causing such a large amount of exposed data? Third parties and contractors were the most common sources of sensitive data exposure.
“A shocking amount of security assessment and penetration tests was discovered. In addition, Digital Shadows identified consumer back up devices that were misconfigured to be Internet-facing and inadvertently making private information public.
Most of the exposed files were stored across Amazon Simple Storage Service (S3) buckets, File Transfer Protocol (FTP) servers, misconfigured websites, Network Attached Storage (NAS) drives, rsync and Server Message Block (SMB) servers.
While AWS' S3 servers have gained attention for being insecurely misconfigured, they were not the most insecure locations in Digital Shadows' study.
Older technologies that are widely used were more likely to be exposed. 33% of exposed data came from SMB, 28% came from rsync and 26% came from FTP. Only 7% of exposed data came from S3 buckets.
“While we often hyperfocus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren't focusing on our external digital footprints and the data that is already publicly available via misconfigured services,” comments Digital Shadows chief information security officer Rick Holland.
Those insecure locations are exposing a number of different types of data. Payroll and tax return files accounted for 700,000 and 60,000 files respectively – the two most common forms of exposed data.
There were also 14,687 cases of leaked contact information, and 4548 patient lists.
“The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organisation,” Holland says.
Intellectual property was also left sitting publicly exposed on many servers – even though it is amongst the most precious data organisations can control, according to Digital Shadows.
In one case, Digital Shadows discovered a ‘strictly confidential' patent summary for renewable energy. In another case, a document with proprietary source code as part of a copyright application was also exposed.
“This file included the code that outlined the design and workflow of a site providing software Electronic Medical Records (EMR), as well as details about the copyright application,” Digital Shadows says.
Holland says this is a timely warning for organisations that must comply with breach notification and data privacy laws, such as the European Union's GDPR.