MORE THAN 90 COMPANIES inadvertently exposed sensitive data by sharing public links to files in their Box enterprise storage accounts.
Security outfit Adversis is sounding the alarm bells; it's warning that while data stored in Box accounts is private by default, major companies are exposing their data by sharing links which are easily discoverable by anyone.
Worse, Adversis found that some public folders were indexed by search engines, making the data found more easily.
The firm said it found "hundreds" of passport photos, bank account and Social Security numbers, high-profile technology prototype and design files, passwords, employee lists, VPN configurations and financial data, including documents such as invoices and receipts.
"In the first couple days of a running a non-aggressive scan, we had thousands of files and terabytes of data from dozens of companies," Adversis said. "A lot of the data was indeed public information or simply marketing material, but a considerable amount was sensitive.
"If your company uses Box, there is a good chance you are leaking sensitive data already and you may want to finish reading this after you disable public file sharing."
According to TechCrunch, Apple, the television network Discovery, flight reservation system Amadeus and nutrition company Herbalife whose data was available in public links, along with, er, Box, which saw several of its own private folders exposed.
Adversis said it contacted Box on 24 September, but said there was little overall improvement six months after its initial disclosure.
In a statement, however, Box said it's "taking steps" to raise awareness about the company's privacy settings when it comes to sharing files.
"We take our customers' security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing," a spokesperson said.
"In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or 'open'. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links."
The company also published a blog post outlining how corporate customers can share their information more securely on the platform.
For example, it's advising that users configure Shared Link default access to 'People in your company', that administrators regularly run a shared link report and that users do not create public (open) custom shared links to content that is not intended for public consumption. µ
Some deliberately, others through stupidity
Quite the business expense
It's another quantum leap camera
Evolution, not revolution, but that's just fine