Most companies use a cloud-based sharing system to make their professional lives more manageable. However, in the case of Box, it only led to more headaches over leaked data. Box is a cloud content management system that lets a group of coworkers share documents, work in apps securely, and create links to company information.
Security Research Shows Public Links
Something as simple as a link between coworkers seems like a routine part of the day, but on March 11, security researchers from Adversis found quite the opposite. The security firm created a script to scan for Box accounts that may have had public links to sensitive information. When employees in a large business want to find relevant information in the Box storage quickly, they customize the link.
Instead of a URL of the company name followed by “box.com,” they added a backslash and a term for the information that is linked. For example, the link may be to a customer database that a Box user wants to access quickly to call a customer. While this seems to make information sharing smoother, it also increases the chances of third parties discovering confidential information.
Information Leaked and Companies Behind It
While Adversis found that most of the data that was leaked was harmless, some personally identifiable information (PII) was included and left without protection. Some of the personal information leaked includes passport photos, social security numbers, invoices, and resumes.
The data leaks came about as a result of users forgetting that custom links are easy to share and even easier for a savvy hacker to guess. Administrators also forgot to change the default access for shared links to “people in your company.”
This link issue affected over 90 companies, many being well-known brands. Apple, the television network Discovery, global public relations firms and even Box itself could not avoid the accidental data leak. While their losses included project proposals and customer names, some cases were more severe. United Tissue Network’s leak exposed body donor information and the prices for each body part.
To Share, or Not to Share
Following Adversis’ discovery, they wanted to alert each company individually. Unfortunately, due to the magnitude of the situation, there was no way they could contact every victim. Several of the affected companies have already configured their Box systems to create a more secure storage service. Box explained that they advise users on how to minimize risks and take security seriously. They then gave a few pointers for companies to follow if they use Box:
- Run regular shared link reports
- Don’t create public custom shared links to content not intended for the public
- Change the default link access to “people in your company”
Box aims to educate users on the link settings tool and will disable a public custom shared link until the Box Admin gives approval.
Ensure Your Company’s Data is Secure
When it comes to extremely important data, such as social security numbers and customer databases, you need a solution that thinks outside the “Box.” Our line of SecureDrives are hardware encrypted devices that are FIPS 140-2 Level 3 validated.
Access to the KP model requires a unique PIN that is entered on a wear-resistant keypad while the BT model only allows access after unlocking the device from the app on your phone. Both versions offer read-only mode, so even if you do share the company’s data, it can’t be tampered with.
Secure Forensics also offers a solution if you or your company has been a victim of a data breach. Our experts can investigate the breach and find the culprit behind the attack.