Misconfigured security controls could result in multiple breaches of GDPR with 2.3 billion exposed files, including passport data, bank records and medical information, increasing risk of identity theft, ransomware attacks and more
London and San Francisco, May 30, 2019: Digital Shadows, the leader in digital risk protection, today unveiled the findings of a new report from its Photon Research Team, “Too Much Information: The Sequel,” assessing the scale of inadvertent global data exposure. The team’s research revealed the exposure of 2.3 billion files across online file stores, including customer data such as passport scans and bank statements, as well as business information, such as credentials to company systems.
The exposure represents an increase of over 750 million files since the same study was carried out by Digital Shadows in 2018 – more than a 50% annual increase. The exposure – including 326 million records from the US / 98 million from the UK / 121 million from Germany – could put many companies in breach of GDPR regulation, which became effective one year ago. This is leaving them at risk of €20 million in fines / 4% of global turnover for failure to adequately protect the data of their customers.
The cause of this data exposure is due to the misconfiguration of commonly used file storage technologies. Nearly 50% of the files (1.071 billion) were exposed via the Server Message Block protocol – a technology for sharing files first designed in 1983. Other misconfigured technologies including FTP services (20% of total), rsync (16%), Amazon S3 ‘buckets’ (8%) and Network Attached Storage devices (3%) were cited as additional sources of exposure.
Photon Research Team warned that risks to organizations as a result of this exposure are severe. Not only are the ramifications of data privacy laws like GDPR significant, the exposed data gives attackers everything they need to launch personalized attacks targeting their customers, employees, and third parties. For example, Digital Shadows observed over 17 million exposed files have been encrypted by ransomware, 2 million of which by the recently discovered ‘NamPoHyu’ variant. Businesses have likely been impacted by these ransomware attacks and may not be aware. In another example, a small IT consulting company in the UK was found to be exposing 212,000 files, many of which belonged to their clients, with password lists kept in plain text. This is a prime example of organizations trusting third parties with their data and not have visibility when those third parties fail to keep them secure.
The risks to individual consumers are high as well. With the wealth of data exposed by organizations who trust them to keep it secure, attackers can easily use that information to execute targeted attacks against the individuals themselves. For example, the research found an open FTP server containing everything an attacker would need to conduct identity theft – including job applications, personal photos, passport scans, and bank statements. The team also found 4.7 million exposed medical-related files, the majority of which were DICOM (DCM) medical imaging files, including x-rays and other health-related imaging scans. With GDPR regulations in effect, and data privacy laws tightening around the world, consumers impacted by this exposure have more power than ever to act against the organizations who allowed their data to be exposed in the first place.
While overall file exposure has increased, the Photon Team reported a sharp decline in data exposed by Amazon S3 ‘buckets.’ In November 2018, Amazon introduced ‘Amazon S3 Block Public Access,’ which provided more extensive security controls for its services. The Photon Research Team noted that since November (when there were just over 16 million exposed files) the number of S3 storage files exposed today has decreased to just 1,895 open buckets – a noticeable improvement for a service widely used by organizations across the globe.
Harrison Van Riper, a Photon Research analyst, commented: “Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant. Countries within the European Union are collectively exposing over one billion files – nearly 50% of the total we looked at globally – some 262 million more than when we looked at last year. We urge all organizations to regularly audit the configuration of their public facing services.”
Digital Shadows is advising organizations to take the following precautions:
- Use Amazon S3 Block Public Access to limit public exposure of buckets which are intended to be private. Enable logging through AWS to monitor for any unwanted access or potential exposure points.
- If possible, block ports 139 and 445 from the internet. IP whitelisting should be used to enable only those systems that are authorized to access those shares, are indeed the only ones accessing those shares. Also, usernames with strong and complex passwords should be utilized.
- If rsync is only used internally, block port 837 to disallow any external connections.
- Use SSH File Transfer Protocol (SFTP) as an update to FTP which adds SSH encryption to the protocol.
- As with FTP servers, network attached storage (NAS) drives should be placed internally behind a firewall and access control lists should be used to prevent unwanted access.
For further details, read Digital Shadows’ blog announcement of the research.
ABOUT DIGITAL SHADOWS
Digital Shadows minimizes digital risk by identifying unwanted exposure and protecting against external threats. Organizations can suffer regulatory fines, loss of intellectual property, and reputational damage when digital risk is left unmanaged. Digital Shadows SearchLight™ helps you minimize these risks by detecting data loss, securing your online brand, and reducing your attack surface. To learn more, visit www.digitalshadows.com.