Digital Shadows, a digital risk protection company, has unveiled the findings of a new report from its Photon Research Team, “Too Much Information: The Sequel,” assessing the scale of inadvertent global data exposure. The team’s research revealed the exposure of 2.3 billion files across online file stores, including customer data such as passport scans and bank statements, business information, such as credentials to company systems, and 4.7 million exposed medical-related files, the majority of which were DICOM (DCM) medical imaging files, including x-rays and other health-related imaging scans.

With GDPR regulations in effect, and data privacy laws tightening around the world, consumers impacted by this exposure have more power than ever to act against the organizations who allowed their data to be exposed in the first place.

The exposure represents an increase of over 750 million files since the same study was carried out by Digital Shadows in 2018—more than a 50% annual increase. The exposure—including 326 million records from the United States, 98 million from the UK and 121 million from Germany—could put many companies in breach of GDPR regulation, which became effective one year ago. This is leaving them at risk of $22 million in fines / 4% of global turnover for failure to adequately protect the data of their customers.

The cause of this data exposure is due to the misconfiguration of commonly used file storage technologies. Nearly 50% of the files (1.071 billion) were exposed via the Server Message Block protocol—a technology for sharing files first designed in 1983. Other misconfigured technologies including FTP services (20% of total), rsync (16%), Amazon S3 ‘buckets’ (8%), and network attached storage devices (3%) were cited as additional sources of exposure.

Photon Research Team warned that risks to organizations as a result of this exposure are severe. Not only are the ramifications of data privacy laws like GDPR significant, the exposed data gives attackers everything they need to launch personalized attacks targeting their customers, employees, and third parties. For instance, over 17 million exposed files have been encrypted by ransomware, 2 million of which by the recently discovered ‘NamPoHyu’ variant. Businesses have likely been impacted by these ransomware attacks and may not be aware. In another example, a small IT consulting company in the UK was found to be exposing 212,000 files, many of which belonged to their clients, with password lists kept in plain text.

Harrison Van Riper, a Photon Research analyst, comments: “Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant. Countries within the European Union are collectively exposing over 1 billion files—nearly 50% of the total we looked at globally—some 262 million more than when we looked at last year. Some of the data exposure is inexcusable—Microsoft has not supported SMBv1 since 2014, yet many companies still use it. We urge all organizations to regularly audit the configuration of their public facing services.”

Digital Shadows is also advising organizations to take the following precautions:

  • Use Amazon S3 Block Public Access to limit public exposure of buckets which are intended to be private. Enable logging through AWS to monitor for any unwanted access or potential exposure points.
  • Disable SMBv1, and for systems which require the protocol, update to SMBv2 or v3. IP whitelisting should be used to enable only those systems that are authorized to access those shares, are indeed the only ones accessing those shares.
  • If rsync is only used internally, disable port 837 to disallow any external connections. Encrypting all communications to and from rsync storage will also decrease potential exposure points.
  • Use Secure FTP (SFTP) as an update to FTP (which is over 30 years old) which adds SSH encryption to the protocol.
  • As with FTP servers, network attached storage (NAS) drives should be places internally behind a firewall and implement access control lists to prevent unwanted access.

For further details, read Digital Shadows’ blog announcement of the research.