Dozens of companies leaked sensitive data thanks to misconfigured Box accounts

TechCrunch | 3/11/2019 | Staff
ridge-khridge-kh (Posted by) Level 4
Click For Photo: https://techcrunch.com/wp-content/uploads/2019/03/data-brokers.jpg?w=593

Security researchers have found dozens of companies inadvertently leaking sensitive corporate and customer data because staff are sharing public links to files in their Box enterprise storage accounts that can be easily discovered.

The discoveries were made by Adversis, a cybersecurity firm, which found major tech companies and corporate giants had left data inadvertently exposed. Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found over 90 companies with publicly accessible folders.

Company - Data - Box - Users - Risks

The company said while much of the data is legitimately public and Box advises users how to minimize risks, many employees may not know the sensitive data they share can be found by others.

Worse, some public folders scraped and indexed by search engines, making the data found more easily.

Blog - Post - Adversis - Box - Administrators

In a blog post, Adversis said Box administrators should reconfigure the default access for shared links to “people in your company” to reduce accidental exposure of data to the public.

Adversis said it found passport photos, bank account and Social Security numbers, passwords, employee lists, financial data like invoices and receipts, and customer data were among the data found. The company contacted Box to warn of the larger exposures of sensitive data, but noted that there was little overall improvement six months after its initial disclosure.

Time

“There is simply too much out there and not enough time to resolve each individually,” he said.

Adversis provided TechCrunch with a list of known exposed Box accounts. We contacted several of the big companies named, as well as those known to have highly sensitive data, including:

Amadeus - Flight - Reservation - System

Amadeus, the flight reservation system...
(Excerpt) Read more at: TechCrunch
Wake Up To Breaking News!
Millions in tribute, but not a penny left for charity.
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!