Sharing public links to private files in Box enterprise storage can lead to more than productive collaboration: it can expose sensitive data to anyone with a search engine and a well-formed query.
Security firm Adversis discovered hundreds of Box customers who had hundreds of thousands of documents and terabytes of data exposed. In the blog post announcing the find, Adversis said it originally intended to notify all the companies whose data they found, but the scale of the discovery quickly made that impossible.
This is not a bug in Box, the researchers said: It’s an advertised feature that’s working precisely as it should but was misconfigured by users. Tech blog TechCrunch worked with Adversis and found large, public companies that had exposed millions of customer names, email addresses, phone numbers, and other sensitive information. When contacted, those companies took the sensitive information offline.
In a statement to Dark Reading, Pravin Kothari, CEO of CipherCloud said, “A single misconfiguration can cause havoc as all your sensitive information could be exposed to the public or hackers by a user’s inadvertent action. Not only do you have to deal with reputational damage, but if the exposed data had regulatory requirements then you’re also looking at stiff penalties.”
Box spokesperson Denis Roy told Tech Crunch: “We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.”
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio