Digital Shadows has released the findings of a new report from its Photon Research Team, “Too Much Information: The Sequel,” assessing the scale of inadvertent global data exposure. The team’s research revealed the exposure of 2.3 billion files across online file stores, including customer data such as passport scans and bank statements, as well as business information, such as credentials to company systems.
The exposure represents an increase of over 750 million files since the same study was carried out by Digital Shadows in 2018 - more than a 50% annual increase. The exposure – including 326 million records from the US, 98 million from the UK and 121 million from Germany – could put many companies in breach of GDPR regulation, which became effective one year ago. This is leaving them at risk of €20 million ($22 million) in fines / 4% of global turnover for failure to adequately protect the data of their customers.
The cause of this data exposure is due to the misconfiguration of commonly used file storage technologies. Nearly 50% of the files (1.071 billion) were exposed via the Server Message Block protocol – a technology for sharing files first designed in 1983. Other misconfigured technologies including FTP services (20% of total), rsync (16%), Amazon S3 ‘buckets’ (8%) and Network Attached Storage devices (3%) were cited as additional sources of exposure.
Photon Research Team warned that risks to organizations as a result of this exposure are severe. Not only are the ramifications of data privacy laws like GDPR significant, the exposed data gives attackers everything they need to launch personalized attacks targeting their customers, employees, and third parties. For instance, over 17 million exposed files have been encrypted by ransomware, 2 million of which by the recently discovered ‘NamPoHyu’ variant. Businesses have likely been impacted by these ransomware attacks and may not be aware. In another example, a small IT consulting company in the UK was found to be exposing 212,000 files, many of which belonged to their clients, with password lists kept in plain text. This is a prime example of organizations trusting third parties with their data and not have visibility when those third parties fail to keep them secure.
The risks to individual consumers are high as well. With the wealth of data exposed by organizations who trust them to keep it secure, attackers can easily use that information to execute targeted attacks against the individuals themselves. For example, the research found an open FTP server containing everything an attacker would need to conduct identity theft - including job applications, personal photos, passport scans, and bank statements. The team also found 4.7 million exposed medical-related files, the majority of which were DICOM (DCM) medical imaging files, including x-rays and other health-related imaging scans. With GDPR regulations in effect, and data privacy laws tightening around the world, consumers impacted by this exposure have more power than ever to act against the organizations who allowed their data to be exposed in the first place.
While overall file exposure has increased, the Photon Team reported a sharp decline in data exposed by Amazon S3 ‘buckets.’ In November 2018, Amazon introduced ‘Amazon S3 Block Public Access,’ which provided more extensive security controls for its services. The Photon Research Team noted that since November (when there were just over 16 million exposed files) the number of S3 storage files exposed today has decreased to just 1,895 open buckets – a noticeable improvement for a service widely used by organizations across the globe.
“Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant. Countries within the European Union are collectively exposing over one billion files – nearly 50% of the total we looked at globally – some 262 million more than when we looked at last year. Some of the data exposure is inexcusable – Microsoft has not supported SMBv1 since 2014, yet many companies still use it. We urge all organizations to regularly audit the configuration of their public facing services,” said Harrison Van Riper, a Photon Research analyst.
Digital Shadows is advising organizations to take the following precautions:
- Use Amazon S3 Block Public Access to limit public exposure of buckets which are intended to be private. Enable logging through AWS to monitor for any unwanted access or potential exposure points.
- Disable SMBv1, and for systems which require the protocol, update to SMBv2 or v3. IP whitelisting should be used to enable only those systems that are authorized to access those shares, are indeed the only ones accessing those shares.
- If rsync is only used internally, disable port 837 to disallow any external connections. Encrypting all communications to and from rsync storage will also decrease potential exposure points.
- Use Secure FTP (SFTP) as an update to FTP (which is over 30 years old) which adds SSH encryption to the protocol.
- As with FTP servers, network attached storage (NAS) drives should be places internally behind a firewall and implement access control lists to prevent unwanted access.