Researchers found that the scourge of misconfigured cloud storage expands beyond the issues seen on Amazon Web...
Services and includes multiple network storage options.
A new report from Digital Shadows' Rafael Amado, strategy and research analyst, Michael Marriott, research analyst, and Rick Holland, CISO and vice president of strategy, detailed the researchers finding 1.5 billion files -- 12 petabytes of data -- exposed to the public on various misconfigured cloud storage solutions.
The researchers noted that while data exposures on AWS accounts have made headlines over the recent months -- with leaks from the Department of Defense, NSA and more -- Amazon S3 bucket exposures only made up 7% of what the Digital Shadows researchers found during scans over the first three months of 2018. Other misconfigured cloud storage options were more prevalent, including SMB (33%), Rsync (28%) and FTP servers (26%), with misconfigured websites and network attached storage (NAS) drives making up the remaining 6%.
The exposed files were found around the globe, but the U.S. was the single most affected country with nearly 240 million files found. However, the researchers issued a warning to those in Europe because close to 540 million files were geolocated there, which will be a major issue once the General Data Protection Regulation (GDPR) begins enforcement in May.
"With GDPR fast-approaching, there are clear regulatory concerns for organizations surrounding the protection of personal data," the researchers wrote in "Too Much Information." "Loss of intellectual property also has considerable financial and reputational impacts."
Beyond the sheer amount of data exposed on the misconfigured cloud storage, Digital Shadows said there was a large amount of personal data to be found, such as payroll and tax return files; contact and patient lists; and point-of-sale data, including credit card information, personal health information, corporate intellectual property (IP) and even security audit reports.
"The exposure of personal information, IP, and security assessments can have significant impacts on the affected organization. This includes financial damage, privacy violation, and compliance issues," the researchers wrote. "For organizations that have failed to make these resources private, there are also reputational concerns -- although our research did reveal that former employees, contractors, and third parties were a leading cause of sensitive data exposure."
The affected organizations
Marriott told SearchSecurity that Digital Shadows did its best to notify affected organizations whenever possible.
"We have a responsible disclosure process in place and we have alerted some of the organizations. It's hard to say how many organizations are affected, as we couldn't always attribute the data to specific organizations and the scale was also problematic," Marriott said. "Following the responsible disclosure of our more sensitive findings, we wanted to better understand the macro level of exposure. Here we analyzed the most common services for exposed data, as well as the types of sensitive data available. This was an evolving piece of research and we notified organizations as it progressed."
The researchers noted in the report that due to the age of the protocols affected, "there is a wealth of direction on how to mitigate the risks associated with" the misconfigured cloud storage. "Sadly, as the 12 petabytes of exposed sensitive data demonstrates, much of this mitigation advice has fallen upon deaf ears."
Marriott suggested the first step for organizations should be to "limit their public-facing services, lock down how those services are accessed and who can access them, and also log all activity."
"For many of these services, organizations should ensure they are password protected and guest access is disabled. If these services really need to be on the internet, then make sure you whitelist the IPs that can access your resources," Marriott said. "In the longer-term, organizations should also be giving employees training on these risks and providing suitable backup solutions. Given that many instances occurred from contractors backing up and sharing sensitive data, there's also a big third-party message here."