Gaining access to personal details doesn’t require a cyber mastermind

Billions of documents containing private data, from medical to financial records, are easily available for public access online, a new study has revealed.

A report by cybersecurity firm Digital Shadows found that 1.5 billion files, or 12,000 terabytes of data, were being exposed online through storage services, misconfigured websites and FTP servers.

The study was taken over a three-month period, from January to March 2018, in order to demonstrate that data can be easily accessed due to a failure of implementing basic security procedures.

Third-party contractors were the least secure when it came to data protection, Digital Shadows said, but individual users also tended to back up their data to the open web without realizing.

The type of information available, to even the most novice of cybercriminals, predominately included payroll and tax return details – 4,548 patient lists and even data from a point-of-sale terminal were also easily reachable.

This comes as misconfigured Amazon S3 storage servers made the headlines for leaking data, with researchers at IBM reporting how cybercriminals are increasingly taking advantage of systems such as these.

IBM said that these servers caused nearly 70% of all publicly-disclosed data breaches in 2017, 424% more than the previous year.

But the Digital Shadows study claimed that only 7% of the leaked data was related to misconfigured systems, and that it was mainly older but widely used technologies that were causing files to be exposed.

Digital Shadows said file transferring services like Server Message Block (SBM), rsync and FTP contributed the most to data being exhibited online.

Rick Holland, Chief Information Security Officer at Digital Shadows, said: “While we often hyperfocus on responding to adversaries conducting intrusions into our environments and silently exfiltrating our data, we aren’t focusing on our external digital footprints and the data that is already publicly available via misconfigured services.”

Holland added: “The volume of this sensitive data exposure should be a major cause for concern for any security and privacy conscious organization.”

The study was released just over a month before the implementation of the EU’s General Data Protection Regulation (GDPR) – legislation enforcing greater cybersecurity measures within all companies transferring or retaining personal data.