Digital Shadows finds 1.5bn business, consumer files exposed online: one month before businesses face EUR20m fines under GDPR legislation
Vast exposure of data, 4 000 times larger than the Panama Papers, includes documents spanning payroll data, tax return information, medical records, credit card data and intellectual property.
Digital Shadows, the leader in digital risk management and relevant threat intelligence, outlines the sheer scale of sensitive business and consumer files exposed online putting organisations and their customers at risk.
Over the first three months of 2018, Digital Shadows detected over one-and-a-half-billion (1 550 447 111) publicly available files across open Amazon Simple Storage Service (S3) buckets, rsync, Server Message Block (SMB), File Transfer Protocol (FTP) servers, misconfigured Web sites, and Network Attached Storage (NAS) drives. This number amounts to over 12 petabytes (12 000 terabytes) of exposed data. For context, this is over 4 000 times larger than the 'Panama Papers' leak, which was 2.6 terabytes.
The most common data exposed was payroll and tax return files, which accounted for 700 000 and 60 000 files respectively. However, consumers are also at risk from the exposure of 14 687 incidents of leaked contact information and 4 548 patient lists. In one instance, a large amount of point of sale terminal data, which included transactions, times, places, and even some credit card data, was publicly available.
Interestingly, while issues surrounding misconfigured Amazon S3 have attracted many headlines in months due to exposed data incidents, in this study they only account for 7% of exposed data that Digital Shadows discovered. Instead it is older, yet still widely used, technologies, such as SMB (33%), rsync (28%) and FTP (26%) that have contributed the most exposure.
Of all the data an organisation seeks to control, intellectual property (IP) is among the most precious. Digital Shadows detected many occurrences of this confidential information. For example, a patent summary for renewable energy in a document marked as "strictly confidential" was discovered. Another example includes a document containing proprietary source code that was submitted as part of a copyright application. This file included the code that outlined the design and workflow of a site providing software electronic medical records (EMR), as well as details about the copyright application.
Third parties and contractors were identified as one of the most common sources of sensitive data exposure. A shocking amount of security assessment and penetration tests was discovered. In addition, Digital Shadows identified consumer backup devices that were misconfigured to be Internet-facing and inadvertently making private information public.
Rick Holland, Chief Information Security Officer at Digital Shadows, comments: "While we often hyper-focus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren't focusing on our external digital footprints and the data that is already publicly available via misconfigured services."
Holland continues: "The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organisation. In addition, with GDPR fast approaching, there are clear regulatory implications for any organisation with EU citizen data."
Digital Shadows will be showcasing its products and innovative technologies at the ITWeb Security Summit, southern Africa's definitive conference and expo for information security, IT and business professionals. This year, over 70 expert speakers will deliver key insights across seven tracks, including workshops and training courses during the expanded five-day event. The ITWeb Security Summit will be staged at Vodacom World, Midrand, from 22-23 May 2018; and CTICC Cape Town on 29 May 2018. Focused and interactive workshops as well as in-depth training courses will be run in the days around the main conference and exhibition.
For more information, go to www.securitysummit.co.za.
For information on Security Summit Cape Town, go to http://v2.itweb.co.za/event/itweb/security-summit-ct-2018/.
Read the full research report from Digital Shadows here.
ITWeb Security Summit 2018
Registration is open for the ITWeb Security Summit 2018, being held in Johannesburg on 22 and 23 May and in Cape Town on 28 and 29 May. This is the must-attend annual event for information security professionals, featuring international speakers, workshops, as well as a beginners' guide to cyber security. Click here.