Access Management , Cloud Security , Governance & Risk Management
2.3 Billion Files Exposed Online: The Root CausesResearcher Harrison Van Riper Analyzes Why So Many Files Are Accessible
Misconfigured file storage technologies and a lack of basic security controls are the root causes for the inadvertent online exposure of 2.3 billion files across the web worldwide that contain personal information, including sensitive medical data, says Harrison Van Riper, a security researcher at Digital Shadows' Photon Research Team.
Riper was lead analyst on a recent study that discovered 2.3 billion exposed files across online file stores, up about 50 percent from a similar study last year. The files included a wide variety of personal information, including medical diagnostic images, passport scans, bank statements and credentials to company systems.
Many of the files were exposed via Server Message Block, or SMP protocol file-shares. "FTP [file transfer protocol] servers were a big one; Amazon S3 buckets were another big one," he says in an interview with Information Security Media Group.
In addition to issues with misconfiguration, a lack of authentication made many of these files accessible on the internet, Digital Shadows' research notes.
"No log in, or passwords - [the files] were widely available if you knew where you were going, such as the FTP server address or the domain where the Amazon S3 bucket was hosted," he says.
Authentication "is a very basic thing to do when you set up cloud storage, or setting up anything," yet that control was commonly lacking, he adds.
Healthcare Data Exposed
Some 4.7 million of the exposed files were healthcare-related, and most of those were medical imaging files, Van Riper says.
Many of the exposed medical images contained patient names and other identifiers, such as date of birth, as well as details about the patient's healthcare encounter, such as date of when the imaging was performed.
Medical images are often reviewed by physicians in locations other than where the image was created, he notes. "A lot of these medical systems and architectures are set up ... not with security in mind," Van Riper says.
In the interview (see audio link below photo), Van Riper also discusses:
- Other types of exposed files and information the researchers discovered;
- Whether the unprotected files - including health information - could potentially be considered a reportable breach under HIPAA;
- Steps organizations can take to prevent these kinds of inadvertent data exposures.
Van Riper is a strategy and research analyst at Digital Shadows' Photon Research Team. Van Riper investigates the crossover between technology and crime. He was previously a senior analyst on the strategic intelligence team at Digital Shadows.