Companies like Apple, flight reservation system Amadeus, the Discovery TV network, and nearly 90 others were found to be leaking sensitive information due to a misconfiguration problem with their Box enterprise storage accounts. Staff in the client companies were inadvertently sharing links to their Box accounts making them easily discoverable.
Zack Whittaker filed this report on leaky Box accounts in TechCrunch:
The discoveries were made by Adversis, a cybersecurity firm, which found major tech companies and corporate giants had left data inadvertently exposed. Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found more than 90 companies with publicly accessible folders.
Not even Box’s own staff were immune from leaking data. The company said while much of the data is legitimately public and Box advises users how to minimize risks, many employees may not know the sensitive data they share can be found by others. Worse, some public folders were scraped and indexed by search engines, making the data found more easily.
In a blog post, Adversis said Box administrators should reconfigure the default access for shared links to “people in your company” to reduce accidental exposure of data to the public. Adversis said it found passport photos, bank account and Social Security numbers, passwords, employee lists, financial data like invoices and receipts and customer data among the data found. The company contacted Box to warn of the larger exposures of sensitive data, but noted that there was little overall improvement six months after its initial disclosure. “There is simply too much out there and not enough time to resolve each individually,” he said.
