2.3B Files Exposed in a Year: A New Record for Misconfigs

cloud storage misconfiguration data exposure

Amazon S3 cloud bucket misconfigurations however have dropped dramatically.

The last 12 months has seen the exposure of a record 2.3 billion files across cloud databases and online shares, according to an analysis released on Thursday.

A report from Digital Shadows’ Photon Research Team, Too Much Information: The Sequel, assessed the scale of inadvertent global data exposure. The 2.3 billion number represents an increase of more than 750 million files since 2018 – a more than a 50 percent annual increase.

The team’s research revealed that about half of the customer data, (1.071 billion files, including personal demographic information, passport scans and bank statements, job applications, personal photos, credentials for business networks and more) was exposed via the Server Message Block (SMB) protocol – a technology for sharing files first designed in 1983.

Other misconfigured technologies included FTP services (20 percent of the total), rsync (16 percent), Amazon S3 buckets (8 percent) and network attached storage (NAS) devices (3 percent).

The exposure – including 326 million records from the U.S., 121 million from Germany and 98 million from the UK, – puts many companies at significant risk, according to the report. For instance, countries within the European Union are collectively exposing over one billion files – nearly 50 percent of the total globally (and some 262 million more than last year), meaning that GDPR-related privacy fines would be levied.

There are other risks as well. “Not only are the ramifications of data privacy laws like GDPR significant, the exposed data gives attackers everything they need to launch personalized attacks targeting their customers, employees and third parties,” the report, shared with Threatpost at the GSMA Mobile 360 security for 5G conference, ahead of publication. “For instance, more than 17 million exposed files have been encrypted by ransomware, 2 million of which by the recently discovered ‘NamPoHyu’ variant. Businesses have likely been impacted by these ransomware attacks and may not be aware.”

The analysis also uncovered 4.7 million exposed medical-related files, the majority of which were medical imaging files, including X-rays and other health-related imaging scans.

Interestingly, while overall file exposure has increased, the Photon Team reported a sharp decline in data exposed by Amazon S3 buckets.

In November, Amazon introduced ‘Amazon S3 Block Public Access,’ which provided more extensive security controls for its services. The Photon Research team noted that since November (when there were just over 16 million exposed files) the number of S3 storage files exposed today has decreased to just 1,895 open buckets – a noticeable improvement.

“I would say Amazon has made significant strides when it comes to trying to secure the data that their users have uploaded to their S3 storage buckets,” Harrison Van Riper, strategy and research analyst at Digital Shadows, told Threatpost in an interview. “In that case, we’ve actually seen a decrease, and I recommend cloud providers take a look at the ways Amazon has combated this issue with their Block Public Access feature specifically.”

However, there are still significant risks out there, especially with third-party suppliers. “A business could have all of the security in the world, but once the data gets handed over to a third party, the same controls may not be in place,” Van Riper said. “We’ve seen this in several news stories lately with the third-parties being compromised and data stolen, rather than the data owner (the business) being compromised themselves. Ensuring the same kinds of controls apply to a third-party data handler is key in the service ecosystem businesses operate in.”

He added that while misconfigurations have become a common aspect of business security woes, there are ways to combat it.

“The first step in the process is acknowledging that all of your business’s sensitive data may not be where you think it is, or where it is supposed to be,” he said. “Then, the challenge becomes identifying where that data is, which is significant in large organizations that may have acquired other businesses or utilize third-parties for certain processes. Once you have identified those exposure points, then you can begin securing the data.”

Businesses could and probably should adopt a strategy of protecting the data itself as well, he noted.

“Encryption is always a good idea, especially when you’re dealing with data at-rest and don’t need to rely on the immediacy of access to the data,” said Van Riper. “While this is a good option, even more simple things like blocking specific port access to the internet for SMB servers if you can, or implementing IP whitelisting, are simple concepts to apply that would greatly reduce the overall exposure.”

There’s a mobile dimension to this as well, given that many of the exposed databases have been tied to mobile apps. In this scenario, like all third-party data-handlers, the responsibility falls on those who are tasked with securing the data.

“It’s unreasonable to think that everyday users of mobile apps are going to have the knowledge of or capability to monitor for their exposures of data,” Van Riper explained. “Data handlers need to be the responsible parties and secure the data that consumers entrust to them.”


Suggested articles