Cybersecurity: The number of files exposed on misconfigured servers, storage and cloud services has risen to 2.3 billion

Digital Shadows research finds that the number of exposed files -- including sensitive information -- has risen by 50 percent compared with last year. But there are some signs the problem can be fixed...
Written by Danny Palmer, Senior Writer

Over 2.3 billion files -- including sensitive data like payroll information, credit card details, medical data and patents for intellectual property -- are exposed publicly online, putting both people and organisations at risk of data theft, cybercrime, espionage and other malicious activities.

Analysis by researchers at cybersecurity company Digital Shadows found the highly sensitive information stored alongside other data in publicly exposed or misconfigured online storage and cloud services, including SMB file shares, rsync servers, and Amazon S3 buckets.

The 2.3 billion figure marks a 750 million increase in data exposure compared with Digital Shadows' Photon research team's previous analysis of the issue early last year which found 1.5 billion files exposed. This represents a 50 percent increase in files which are at risk of being exploited because of poorly configured storage.

The Too Much Information: The Sequel report details some of the most worrying cases of sensitive data being left exposed.

These include 4.7 million medical files being publicly available, with the majority being DICOM (DCM) medical imaging files; 4.4 million of these were found to be exposed -- double last year's figure.

In some cases, personal information such as name, date of birth and insurance details were attached to X-rays and medical scans, potentially allowing a malicious attacker to conduct identity theft and cybercrime, as well invading the privacy of the patient by looking at X-rays and scans.

Researchers found a UK-based IT consultancy had inadvertently publicly exposed over 212,000 files belonging to clients -- including documents full of usernames and passwords that could easily be exploited if uncovered by hackers.

Another example involves an open server being used by an individual that contained everything an attacker would need to easily steal their identity -- photos, a passport scan, bank statements and more.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

In some cases, files are known to have been targeted by cyber criminals: researchers detected over 17 million files that had been encrypted by ransomware attacks.

One ransomware family is particularly adept at targeting these systems: NamPoHyu, a variant of MegaLocker ransomware that targets vulnerable Samba servers. As of April 2019, two million files were found to be encrypted with NamPoHyu, and in many cases, it's believed these are backup files.

During the course of the analysis, researchers also found that SamSam ransomware had targeted exposed servers, including those of a Californian university and a digital marketing firm for the auto industry.

The United States is the worst offender for exposing the highest amount of data, with 326 million of those analysed stored within the country. France and Japan are the next highest offenders, exposing 151 million and 77 million files respectively as many organisations still struggle to properly store and configure their data as they move towards a cloud-based model.

"Businesses are continuing to expand their footprint online, beyond their own networks – and, more importantly, their own storage devices," Harrison Van Riper, research analyst at Digital Shadows told ZDNet.

"The same kinds of access controls and safeguards that businesses put on their own data within their networks should be implemented on those systems existing outside as well," Van Riper added.

However, despite the rise in the number of exposed files, there are signs that some progress is beginning to be made.

Sixteen million files were found to be coming from S3 buckets last year, but since then, Amazon has introduced a new Block Public Access feature, which has dropped the exposure down to just a few thousand files.

The report also suggests that the European Union's General Data Protection Regulation (GDPR) has played a role in two countries – Luxembourg and The Netherlands – reducing their overall exposure by implementing national laws to help implement GDPR.

"With GDPR now in effect, consumers now have more power in the EU to call organizations out for exposing their data and hopefully get them to reel it back," said Van Riper.

"We hope that this report will encourage a lot of people to take a look at their configurations, whether you're an organization or an individual consumer, and make sure that their not letting the world have access to their files," he added.


Editorial standards