ra2 studio - Fotolia
Many Microsoft Office 365 and Office 2016 users uploaded documents to the company's free file-sharing website Docs.com without knowing that the files were being shared publicly, and that their data was indexed by search engines. How was the data leaked? What steps should organizations take if their data was exposed?
Editor's note: Microsoft will retire the Docs.com service on Dec. 15, 2017, and it advises all users to move their existing content to other platforms as soon as possible. More information about this can be found here.
Docs.com is a free, public file-sharing website provided by Microsoft. It's a very different offering from services like Microsoft's OneDrive, Dropbox or Google Drive, which offer secure cloud storage for files, as well as the ability to share access to them with invited friends and colleagues. The main purpose of Docs.com is to showcase documents, so, by default, they are accessible to everyone, including search engines that index the content.
Security researcher Kevin Beaumont discovered that, by using the search bar on the Docs.com homepage, he could find and access documents containing highly sensitive information. When Beaumont pointed this out via Twitter, it started a heated debate regarding where the responsibility for information security lies -- with the user or the provider.
The sensitive data Beaumont found included lists of names, addresses, Social Security numbers, bank account numbers, email addresses and phone numbers -- information apparently passed to a debt collector on behalf of a number of payday loan and finance companies -- in addition to medical data, including one physician's treatment logs and photos; credentials for logging into medical records systems; and a new employee enrollment document containing instructions on how to connect to a corporate intranet gateway with default username and password information. Many of these documents are still discoverable via Google or Bing search engines, as they were publicly indexed.
Those users who uploaded sensitive information to Docs.com can't have understood how the file-sharing website they were using worked. The whole point of Docs.com is that the information posted can be searched, shared and accessed by everyone.
The homepage of Docs.com says, "Showcase and discover Microsoft Word, Excel, PowerPoint, OneNote, Sway, Minecraft World and PDF documents for free," while Microsoft's FAQ about Docs.com states, "Use Docs.com to publish your documents and files to the web so that everyone can see and share them. Use OneDrive to work on documents together with others and to control who can see or edit your documents and files."
People may have seen the words free cloud storage and assumed Docs.com was similar to other cloud storage services. One slightly ambiguous line on the homepage does say, "Tap below to upload your documents. Later, you can choose who may view your documents." This does imply that access to files is restricted.
As so many people use the service inappropriately, there is an argument that Microsoft should rework the UI and how the user first engages with Docs.com. The terms publish publicly and share are not clear enough to some users, and publicly searchable cloud storage is a new concept for many.
That said, there are plenty of warnings before a document is saved to Docs.com that it will be publicly available and searchable on the web, and to make sure it doesn't contain private information.
Documents published on Docs.com will continue to be accessible to anyone who searches against the file-sharing website until they are unpublished by the user. Enterprises should explain to employees how Docs.com works, and that if anyone uses it, they should immediately remove any work-related documents from the site. Office 365 and Azure Tenant administrators can follow the information provided by Microsoft Support to manage employees' access to the Docs.com service.
The amount of sensitive, work-related information that has been uploaded to Docs.com shows that most users click through security warnings without actually reading them. Security awareness training has to stress the importance of understanding the consequences of clicking through security alerts, while data handling procedures need to be revisited, and employees tested on their knowledge and understanding of them.
Compliance enforcement bodies, such as HIPAA, will not take ignorance as a defense, and publishing sensitive information, like medical records, should be met with disciplinary action and additional training.
Determine the steps for updating your company's identity and access management strategy
Find out what the RNC voter database leak proves about poor cloud security practices
Learn how to strike a balance between both information privacy and security
Dig Deeper on Data security breaches
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading