More than 1.5 billion business and consumer files exposed online

In the first three months of 2018, security firm Digital Shadows detected more than 1.5 billion publicly available files, which equates to more than twelve petabytes (12,000 terabytes) of exposed data, which is more than four thousand times larger than the Panama Papers leak of 2.6 terabytes.

These files are located in open Amazon S3 cloud storage buckets, rsync sites, server message block (SMB) and file transfer protocol (FTP) servers, misconfigured websites, and network attached storage (NAS) drives, according to the Too much information report.

The most common data exposed was payroll and tax return files, which accounted for 700,000 and 60,000 files respectively. However, consumers are also at risk from the exposure of 14,687 incidents of leaked contact information and 4,548 patient lists.

In one instance, a large amount of point of sale terminal data – which included transactions, times, places and even some credit card data – was publicly available.

While issues surrounding misconfigured Amazon S3 buckets have attracted many headlines in recent months due to exposed data incidents, the report said they account for only 7% of exposed data discovered. Instead it is older, yet still widely used, technologies – such as SMB (33%), rsync (28%) and FTP (26%) – which have contributed the most exposure, the report said.

Out of all the data an organisation seeks to control, intellectual property (IP) is among the most precious, but Digital Shadows detected many occurrences of this confidential information. For example, a patent summary for renewable energy in a document marked as “strictly confidential” was discovered.

Third parties and contractors are one of the most common sources of sensitive data exposure, the report said, with a “shocking” amount of security assessment and penetration test information found.

The report also identified consumer back-up devices that were misconfigured to be internet-facing devices as a problem because they inadvertently make private information public.

Rick Holland, chief information security officer at Digital Shadows, said while there is often focus on responding to adversaries conducting intrusions and stealing data, organisations are not focusing on their our external digital footprints and the data that is publicly available through misconfigured services.

“The volume of this sensitive data exposure should be a major cause for concern for any security and privacy-conscious organisation. In addition, with compliance deadline for the European Union’s General Data Protection Regulation [GDPR] fast-approaching, there are clear regulatory implications for any organisation with EU citizens’ data,” he said.