1.5 billion sensitive files exposed by misconfigured servers, storage and cloud services

As GDPR looms, vast amounts of sensitive data including credit card details, medical information, and patents are still easily found online, says a security company.
Written by Danny Palmer, Senior Writer

Video: Devising a winning cybersecurity strategy

Researchers have discovered over 1.5 billion sensitive files including payroll information, credit card details, medical data, and patents for intellectual property are exposed online, putting consumers and businesses at risk of theft, cybercrime, and espionage.

But the information exposed online -- which amounts to a total of 12,000 terabytes of data -- isn't there as a result of hacking or other cybercriminal activity, it has been stored in publicly available locations ranging from Amazon Simple Storage Service (Amazon S3) buckets, rysnc, SMB and FTP servers, misconfigured websites, and unsecured NAS drives.

In just the first three months of 2018, a total of 1,550,447,111 exposed files have been detected by researchers at Digital Shadows, who outlined the findings in a new report.

While data has been left exposed by organisations in almost all countries around the world, it's the US that is the country most affected by the problem, with 239,607,590 files exposed, accounting for 16 percent of the total.

However, when combined into one entity, the countries of the European Union were found to have exposed the most data, with 537,720,919 files available publically online -- accounting for 37 percent of the total data.

See also: What is GDPR? Everything you need to know about the new general data protection regulations

One of the most common forms of identifiable personal data found to be exposed were payroll and tax return files, which accounted for 700,000 and 60,000 files respectively. If abused, this sensitive information could be used to commit fraud, identity theft, or other financial crime.

However, the exposed data isn't restricted to financial information: researchers found over two million .dcm -- Digital Imaging and Communications in Medicine -- files exposed on a single open SMB port in Italy.

These could potentially contain health information -- highly personal data which patients would definitely not appreciate being left exposed.

In one instance, a large amount of point of sale terminal data, which included transactions, times, places, and even credit card data, was publicly available.

Digital Shadows also found large amounts of intellectual property and other corporate data left exposed -- something the report refers to as 'corporate espionage made easy'.

In order to ensure that the information isn't put directly into the hands of spies and others interested in conducting cyber-espionage, Digital Shadows hasn't gone into the specifics of information uncovered.

However, in one instance, a patent for a yet-to-be released renewable energy product was found in a document labelled as 'strictly confidential' and containing detailed pictures and information about the patent.

Now read: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness

This marks just one instance of confidential plans being publically uploaded as a result of accidental backing up of data onto open SMB and FTP servers, rsync and Amazon S3 buckets.

So while organisations might worry that hacking groups and other sophisticated threat actors could be targeting their IP, the reality is they could have already released that information themselves.

"While we often hyperfocus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren't focusing on our external digital footprints and the data that is already publicly available via misconfigured services," said Rick Holland, chief information security officer at Digital Shadows.

"The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organisation. In addition, with GDPR fast approaching, there are clear regulatory implications for any organization with EU citizen data," he added.

While large amounts of data have already been exposed due to being misconfigured, the report suggests that training and increasing awareness can be used to ensure data is stored more securely.


Editorial standards