leowolfert - Fotolia
2.3 billion business and consumer data files exposed online
In the year since the GDPR compliance deadline, the number of data files exposed online without adequate protection is up more than 50% due to misconfigured security controls, report reveals
Contrary to expectations, the number of unprotected files exposed online has increased in the year since the full implementation of the General Data Protection Regulation (GDPR).
Some 2.3 billion data files – containing business IT system access credentials, customer passport data, bank records and medical information – are exposed on the internet, according to a report assessing the scale of inadvertent global data exposure by digital risk protection firm Digital Shadows.
The exposure represents an increase of over 750 million files since the same study was carried out by Digital Shadows in 2018. This represents an increase of more than 50%, despite the fact that consumers around the world have more power than ever to act against organisations failing to protect personal data due to the GDPR and a growing number of other data protection laws.
The exposed data includes 98 million records from the UK, 121 million from Germany, and 326 million from the US, putting many companies in breach of the GDPR and at risk of fines up to €20m or 4% of global turnover for failure to take adequate steps to protect the data of their customers.
The cause of this data exposure is the misconfiguration of commonly used file storage technologies, resulting in inadequate protection and access control, according to the report, entitled Too much information: The sequel.
The Photon Research Team at Digital Shadows found that nearly 50% of the files (1.071 billion) were exposed via the server message block (SMB) protocol – a technology for sharing files first designed in 1983 that now accounts for the largest number of exposed files as organisations increasingly seek to improve business efficiency by making data readily available to employees and partners.
Harrison Van Riper, Digital Shadows
“Businesses are focusing on making data available on remotely accessible servers, without paying enough attention to the security implications,” said Harrison Van Riper, a Photon Research analyst.
“The focus is on the business need, with many thinking they will attend to the security aspects later, rather than baking it in from the very start,” he told Computer Weekly. “But hopefully this will change in future due to the growing influence of the GDPR and other data protection legislation,” he added.
Other misconfigured technologies include file transfer protocol (FTP) services (20% of total), rsync sites (16%), Amazon S3 cloud storage buckets (8%) and network-attached storage (NAS) devices (3%).
Sensitive data at serious risk
According to the research team, the risks to organisations as a result of this exposure are “severe”. In addition to potential enforcement action under the GDPR and other data protection laws, organisations failing to secure sensitive personal information are putting customers, employees and third parties at risk of attack by cyber criminals tapping into the readily available data.
In one case, the researchers found that a small IT consulting company in the UK was exposing 212,000 files, many of which belonged to their clients, with password lists kept in plain text. The researchers said this was a “prime example” of organisations trusting third parties with their data and not having visibility when those third parties fail to keep them secure.
Read more about supply chain security
- UK firms trail the leaders US and Germany in knowing the most about their partners’ cyber security practices, but most companies globally are in the dark about this growing source of vulnerabilities.
- The second cohort of companies to benefit from the new London cyber innovation centre will focus on user-centric security and securing supply chains.
- Most UK business leaders expect suppliers to be cyber secure and nearly a third of businesses would terminate contracts because of suppliers’ security failings, a survey has revealed.
The report notes that in a recent Ponemon Institute survey of 1,000 security practitioners in the US and UK, 59% confirmed that their organisation had experienced a data breach due to a third party. The study underlines the importance of ensuring that partners and third parties are applying adequate security controls to organisations’ data, especially in the context of the GDPR, the researchers said.
Businesses are also exposing themselves to ransomware attacks by failing to take adequate steps to protect data, the report warns. More than 17 million of the exposed files have already been encrypted by ransomware, the researchers found.
Of these, two million (11% of the total) had been encrypted by the NamPoHyu variant, also known as MegaLocker, in just a few weeks since its discovery in April 2019. NamPoHyu ransomware specifically targets vulnerable servers using the Samba open source implementation of the SMB protocol that runs on Unix-based systems and allows for file communication to Windows operating systems.
Unlike most other ransomware that is delivered locally and launched as executables, NamPoHyu searches for publicly accessible Samba servers, brute forces them, and runs the ransomware locally to encrypt the exposed servers.
“This means many businesses are likely to have been impacted by these ransomware attacks, but may not be aware of it yet, and I expect to see ransomware attackers exploiting this exposure of files even more in future,” said Van Riper.
“The standard mitigation advice for ransomware is to back up files so that they can be restored easily if they are encrypted, but that will not work if those backups are also encrypted. Not only should organisations be backing up data, but they also need to ensure those backups are secure,” he said.
The report shows that the risk to individual consumers is high, with one exposed FTP server containing everything an attacker would need to conduct identity theft, including job applications, personal photos, passport scans and bank statements.
The researchers also found 4.7 million exposed medical-related files, the majority of which were medical imaging files stored in the Dicom (digital imaging and communications in medicine) format.
Hopeful signs that data exposure will decline
While overall file exposure has increased, the researchers reported a sharp decline in data exposed by Amazon S3 buckets. In November 2018, Amazon introduced Amazon S3 Block Public Access, which provided more extensive security controls for its services.
The researchers noted that since the introduction of the security controls, the number of exposed S3 buckets has fallen from just over 16 million to just 1,895.
Another positive sign is that since Luxembourg and the Netherlands introduced GDPR-aligned data protection legislation, the data exposure of both countries has decreased.
The data exposure for Luxembourg decreased by 28% from late August to mid-September 2018, shortly after the introduction of new data privacy laws on 1 August, which were implemented from 20 November.
The Netherlands decreased its exposure by 8%, with legislators starting the legislative process for the Dutch GDPR Implementation Act in December 2017, publishing the law on 22 May 2018, and beginning to apply it on 25 May.
The report said that while data protection legislation is only part of the solution to reducing data exposure, these examples suggest there is at least some correlation and indicates there is some chance that as the GDPR beds in across Europe, there will be further improvements.
“Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant,” said Van Riper.
“Countries within the European Union are collectively exposing over one billion files – nearly 50% of the total we looked at globally and some 262 million more than when we looked at last year.
“Some of the data exposure is inexcusable – Microsoft has not supported SMBv1 since 2014, yet many companies still use it. We urge all organisations to audit the configuration of their public-facing services regularly.”
The key takeaway from the study for organisations, said Van Riper, is that they need to ensure that whatever data they are making publicly available can be accessed only by authorised systems and users by deploying various technical measures such as whitelisting and strong authentication.
“The NamPoHyu ransomware, for example, uses brute force attacks that exploit weak passwords, so if credentials for those servers are stronger, they are less likely to be infected,” he said.
Tips for securing data
Digital Shadows is advising organisations to take the following precautions:
- Use Amazon S3 Block Public Access to limit public exposure of buckets which are intended to be private. Enable logging through AWS to monitor for any unwanted access or potential exposure points.
- Disable SMBv1, and for systems which require the protocol, update to SMBv2 or v3. IP whitelisting should be used to enable only those systems that are authorized to access those shares, are indeed the only ones accessing those shares.
- If rsync is only used internally, disable port 837 to disallow any external connections. Encrypting all communications to and from rsync storage will also decrease potential exposure points.
- Use Secure FTP (SFTP) as an update to FTP (which is over 30 years old) which adds SSH encryption to the protocol.
- As with FTP servers, network-attached storage (NAS) drives should be placed internally behind a firewall and access control lists implemented to prevent unwanted access.
Read more about access control
- AWS users need the benefits of S3 but not the security concerns that come along with it.
- Secure data in the cloud with encryption and access controls because enterprises cannot rely on service providers to protect sensitive information.
- IT security pros must pay attention to securing identity and access, or their companies will pay the price.
- Identity and access management risks exist, but the benefits of IAM outweigh the drawbacks.