90+ Companies Have Had Their Company Data Exposed Through Their Box Accounts…. Yikes!

TechCrunch reports that roughly 90 high-profile companies have had corporate data exposed through their Box accounts:

The discoveries were made by Adversis, a cybersecurity firm, which found major tech companies and corporate giants had left data inadvertently exposed. Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found over 90 companies with publicly accessible folders.

Not even Box’s own staff were immune from leaking data.

The company said while much of the data is legitimately public and Box advises users how to minimize risks, many employees may not know the sensitive data they share can be found by others.

Worse, some public folders scraped and indexed by search engines, making the data found more easily.

In a blog post, Adversis said Box administrators should reconfigure the default access for shared links to “people in your company” to reduce accidental exposure of data to the public.

Adversis first reported the issue to Box back in September, and has waited until today to make it public, to give companies time to remove sensitive data. Which is nice of them. But it illustrates the perhaps misplaced trust that companies have in cloud services. I say that because having your stuff “in the cloud” doesn’t remove the responsibility of making sure that the stuff in question is properly secured. Given that companies mentioned in this article include Amadeus, Apple, Box, Discovery, Herbalife, Edelman and Pointcare, this incident should serve as a warning to everyone else who uses services like these to store company data.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: