More than 2.3 billion files have been found inadvertently exposed online over the past year, reads a report from threat intelligence outfit Digital Shadows. The firm’s new ‘Too Much Information: The Sequel’ report follows up on the study’s previous iteration, which found 1.5 billion files exposed between April 2017 and March 2018. The latest figure represents a 50-percent jump from the previous report.
Beyond this, real estate insurance giant First American was found, just days ago, to expose a staggering 885 million files. But let’s go back to Digital Shadows’ report. How? As one might have expected, all that data found by Digital Shadows was sitting out in the open and for anybody to find because of misconfigured or non-secured file storage and sharing technologies.
Around 46 percent of the files were exposed through Server Message Block (SMB) file shares, with their number (1.07 billion) actually doubling on an annual basis. File Transfer Protocol (FTP) and rsync servers follow on 20 percent and 16 percent, respectively. Amazon S3 buckets, which account for 8 percent of the total exposure, are in an interesting situation.
On the one hand, hardly a month goes by without a widely publicized news report of a leaky Amazon S3 bucket, and Digital Shadows does say that the number of files exposed via this cloud service increased year-on-year. But this is also where the report is not all bad news, as it notes that the number of exposed files tumbled from millions to thousands after Amazon Web Services (AWS) rolled out the ‘Block Public Access’ feature in November 2018.
What? Of course, it’s not all about numbers, so what kind of files end up accidentally exposed? It varies, or, as the company puts it bluntly, “not all of them are blatantly sensitive, but there is plenty of gold in these mountains”. Indeed, the analysis detected many files containing highly sensitive information.
This includes enough data – such as that appearing in passports scans and bank statements – that is offered on a silver platter for identity theft. Almost 5 million medical-related files, mostly imaging files such as x-rays and other medical scans, were also found exposed. Data leaks from misconfigured public-facing file repositories may result in data theft and fraud, as well as penalties under the European Union’s General Data Protection Regulation (GDPR). In addition, the data may also fall victim to a malware attack. Indeed, more than 17 million of the files that Digital Shadows found were encrypted by ransomware.