Digital Shadows finds 1.5 billion business and consumer files exposed online – just one month before businesses face €20m fines under GDPR legislation
April 5, 2018
Vast exposure of data – some 4000 times larger than the Panama Papers – includes documents spanning payroll data, tax return information, medical records, credit card data and intellectual property
London / San Francisco, April 5, 2018: Digital Shadows, the leader in digital risk management and relevant threat intelligence, today outlines the sheer scale of sensitive business and consumer files exposed online putting organizations and their customers at risk.
Over the first three months of 2018, Digital Shadows detected over one and a half billion (1,550,447,111) publicly available files across open Amazon Simple Storage Service (S3) buckets, rsync, Server Message Block (SMB), File Transfer Protocol (FTP) servers, misconfigured websites, and Network Attached Storage (NAS) drives. This number amounts to over twelve petabytes (12,000 terabytes) of exposed data. For context, this is over four thousand times larger than the ‘Panama Papers’ leak, which was 2.6 terabytes.
The most common data exposed was payroll and tax return files, which accounted for 700,000 and 60,000 files respectively. However, consumers are also at risk from the exposure of 14,687 incidents of leaked contact information and 4,548 patient lists. In one instance, a large amount of point of sale terminal data, which included transactions, times, places, and even some credit card data, was publicly available.
Interestingly, while issues surrounding misconfigured Amazon S3 have attracted many headlines in months due to exposed data incidents, in this study they only account for 7% of exposed data Digital Shadows discovered. Instead it is older, yet still widely used, technologies – such as SMB (33 percent), rsync (28 percent) and FTP (26 percent) which have contributed the most exposure.
Of all the data an organization seeks to control, intellectual property (IP) is among the most precious. Digital Shadows detected many occurences of this confidential information. For example, a patent summary for renewable energy in a document marked as “strictly confidential” was discovered. Another example includes a document containing proprietary source code that was submitted as part of a copyright application. This file included the code that outlined the design and workflow of a site providing software Electronic Medical Records (EMR), as well as details about the copyright application.
Third parties and contractors were identified as one of the most common sources of sensitive data exposure. A shocking amount of security assessment and penetratation tests was discovered. In addition, Digital Shadows identified consumer back up devices that were misconfigured to be Internet-facing and inadvertently making private information public.
Rick Holland, Chief Information Security Officer at Digital Shadows comments: “While we often hyperfocus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren’t focusing on our external digital footprints and the data that is already publicly available via misconfigured services.”
Holland continues: “The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organization. In addition, with GDPR fast-approaching, there are clear regulatory implications for any organization with EU citizen data.”
Read the full research report from Digital Shadows, here.
ABOUT DIGITAL SHADOWS
Digital Shadows enables organizations to manage digital risk by identifying and eliminating threats to their business and brand. We monitor for digital risk across the widest range of data sources within the open, deep and dark web to deliver tailored threat intelligence, context and actionable remediation options that enable security teams to be more effective and efficient. Our clients can focus on growing their core business knowing that they are protected if their data is exposed, if employees or third parties put them at risk, or if their brand is being misused.