Analysis Finds Billions of Sensitive Files Exposed Online

Today in Security: Analysis Finds Billions of Sensitive Files Exposed Online

​A recent analysis found that 2.3 billion files are exposed online across Server Message Block-enabled file shares, misconfiguration network-attached storage devices, File Transfer Protocol and rsync servers, and Amazon S3 buckets.

The finding comes from Digital Shadows' Photon Research Team, which looked at the data exposure landscape for the second year in a row in its report Too Much Information: The Sequel. This year's 2.3 billion exposed files are an increase from last year's finding of more than 1.5 billion.

​The United States had the most data exposed (more than 326 million files), with France (151 million files) and Japan (77 million files) leading their regions.

"Threat actors are actively attempting to exploit this exposure," Digital Shadows said. "We discovered that over 17 million files across these online file repositories, which are often used for backing up data, had been encrypted by ransomware, 2 million of them linked to 'NamPoHyu,' a variant of the 'MegaLocker' ransomware."

Digital Shadows also found that the number of medical-related files exposed online increased, with the number of medical imaging files nearly doubling—up to 4.4 million from 2.2 million exposed files. ​

​"As with all of the cases we discuss in this paper, not every single one of the exposed files is going to contain something sensitive," Digital Shadows explained. "However, the sheer amount of information exposed illustrates the extent of individuals' privacy violations, and of regulations like HIPAA in the United States."

Additionally, Digital Shadows' research also discovered a treasure trove of information that malicious actors could use to conduct identity theft—job applications, personal pictures, passport scans, and more.

"Even though businesses are often the loudest voices regarding financial crimes and are likely responsible for a lot of the data currently exposed, this instance highlights the profoundly personal side of the issue," Digital Shadows explained. "If an attacker wanted to gain access to this individual's bank account, they'd need to perform only minor social engineering of the victim's bank, as all the information they would need is entirely accessible."

These exposures, which can have direct negative effects on consumers, are even more dangerous for organizations subject to the EU's General Data Protection Regulation​ because they offer new ways for consumers to hold companies that collect and store their data accountable.

"Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant," said Harrison Von Riper, a Photon Research analyst, in a state​ment. "Countries within the European Union are collectively exposing over one billion files—nearly 50 percent of the total we looked at globally—some 262 million more than we looked at last year."