Exposed business data rises by 50% to 2.3 billion files


Keumars Afifi-Sabet

30 May, 2019

More than 2.3 billion sensitive corporate documents, including customer data and passport scans, are thought to be sitting on publicly accessible online storage systems.

One year after researchers disclosed the scale of exposed business files hosted using technologies like the server message block (SMB) protocol and Amazon Web Services (AWS) S3 buckets, new findings reveal this figure has risen by approximately 750 million.

Data exposed via these misconfigured systems mean companies across the world are at risk of handing data to cyber criminals and violating data protection laws, according to security research firm Digital Shadows, with 2,326,448,731 (2.3 billion) files exposed as of 16 May. This is in contrast with the 1.5 billion files detected in 2018.

Despite the steep rise in the total number of files left exposed, researchers did see a noticeable decline in the number of files being leaked through misconfigured AWS S3 buckets, which have in the past been responsible for some of the largest data leaks. Experian data on more than 120 million American households was exposed in 2017, while similar leaks also hit the NSA, WWE, Accenture and, most recently, a third party app built from Facebook data.

Due to changes in the way S3 buckets are configured, made in November, researchers found only 1,895 exposed files on 16 May, compared to around 16 million prior to default encryption being added.

However, this is overshadowed by a dramatic rise in the number of files expose through the SMB protocol, amounting to 1.1 billion or roughly 48% of exposed business documents. This compares against 20% of files made public through misconfigured FTP services, and 16% of the 2.3 billion documents exposed via rsync sites

“Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant,” said Photon Research analyst Harrison Van Riper.

“Countries within the European Union are collectively exposing over one billion files – nearly 50% of the total we looked at globally – some 262 million more than when we looked at last year.

“Some of the data exposure is inexcusable – Microsoft has not supported SMBv1 since 2014, yet many companies still use it. We urge all organizations to regularly audit the configuration of their public facing services.”

In their previous report, published last April, the researchers detected exposed data totalling 12,000TB hosted across S3 buckets, rsync sites, SMB servers, file transfer protocol (FTP) services, misconfigured websites (WebIndex), and network attached storage (NAS) drives. This volume of information was roughly 4,000 times greater than the Panama Papers leak three years ago.

The first set of findings were based on files detected during a three-month window between January and the end of March 2018, while their latest report has extended the observation window to between April 2018 and mid-May 2019.

Based on their most recent findings, researchers are particularly worried about a “troubling” rise in files exposed through SMB-enabled file shares, partially because they’re “not entirely sure why that’s the case”.

One potential indicator could be that AWS Storage Gateway added SMB support in June 2018, allowing file-based apps developed for Windows an easy way to store objects in S3 buckets. But the greater concern centres on ransomware, with more than 17 million ransomware-encrypted files detected across various file stores.

Elsewhere, the researchers discovered a variety of sensitive data exposed through misconfigured systems, including one server that contained all the necessary information an attacker would need to commit identity theft. The FTP server held job applications, personal photos, passport scans, and bank statements. All this data was publicly available.

Another example centred on medical data, with 4.7 million medical-related files exposed through the files stored the researchers analysed. The majority of these were medical imaging files, which doubled in volume from 2.2 million last year to 4.4 million today.

In light of its findings, Digital Shadows has advised organisations to use the Amazon S3 ‘Block Public Access’ setting to limit public exposure of buckets that are intended to be private. Logging should also be enabled to monitor for any unwanted access or potential exposure points.

Researchers have also advised businesses to disable SMBv1 and update to SMBv2 or v3 for systems which require the protocol. IP whitelisting, too, should be used to enable only authorised systems to access the storage systems.

NAS drives, as with FTP servers, should be placed internally behind a firewall with access control lists implemented to prevent unauthorised access.