Misconfigured Box Accounts Yield Sensitive Data
Nearly 100 companies were exposing sensitive data, including raw CAD files and Social Security Numbers, on misconfigured Box accounts.
Box, the popular cloud content management and file sharing service, is encouraging customers this week to review sharing settings for their organizations after data belonging to dozens of companies was found online and available to the public.
The data, sensitive files like passport photos, Social Security and bank account numbers, prototype and design files, employee lists, and financial data was first uncovered by researchers on exposed Box accounts last fall. The cybersecurity firm that unearthed the data, Adversis, a startup that mostly specializes in penetration testing, alerted Box of its findings in September, the same time it reached out to some of the affected companies.
According to TechCrunch, which reported on the news Monday, some of the companies whose information was publicly accessible include the Discovery Channel, Apple, Schneider Electric, and even Box, which had several of its own folders exposed.
The research is the latest in a long line of stories about misconfigured cloud storage buckets. Last year billions of records were stolen or leaked due to poorly configured Amazon S3 buckets. Several tools, including open source services, have been released in hopes of helping companies find unsecured buckets but that hasn't stopped the high-profile data leaks.
Box, like other cloud management services, allows users to share content via shared links - links that allow either people with access to it, people in the company, or people who have been invited, to access it. While data stored on Box is private by default, users who don't set the access to 'People in your company' risk anyone being able to find it.
Another issue stems from the fact that companies that use Box Enterprise get their own sub-domain URL, and folder names - the names of which can all be brute-forced.
By using a script to search for Box accounts, Adversis found nearly 100 companies. Investigating further, the researchers found folders; many that contained non-critical marketing materials. Some, however, contained raw CAD files, network diagrams, customer orders, asset information, and PowerPoint slides marked confidential.
Box on Sunday – the day before Adversis published its research – stressed that administrators should ensure they have set shared link default access to 'People in your company' in order to prevent the exposure of data to the public. It also encouraged companies to run a shared link report in order to find and managed any custom shared links that could be viewable by the public. That's in addition to something that should be common sense: Don't create or share custom shared links to content that's not designed for public consumption.
The company is also encouraging admins to leverage a third-party SIEM or tool that can log activity in order to review suspicious activity across their enterprise.
Deploying a data protection solution that can integrate with cloud storage providers, and deliver remediation and logging capabilities, is good way to ensure data in the cloud stays put in the cloud as well. Platforms exist that can prompt or block suspicious user activity, log and audit events for further analysis, while giving admins visibility to data in cloud storage platforms like Box.