In the year since the DigitalShadows Photon Research Team released its “Too Much Information” report, thevolume data exposed through online files stores like Amazon S3 buckets,SMB-enabled file shares, and network attached storage (NAS) drives increased 50percent – or 750 million files – in with researchers finding 2.3 billion filesexposed.
The information made vulnerable includes everything from passport scans and bank statements to credentials to health care and medical information. About half of the files were exposed through the Server Message Block protocol for file sharing, Digital Shadows said in its report, “Too Much Information: The Sequel.”
Misconfigured FTP services were responsible for 20 percent of the exposed files while Amazon S3 buckets accounted for eight percent and rsync, 16 percent. Thought they get a lot of publicity, the number of exposures on S3 servers actually decreased, the report showed. The exposures, many through third parties, present a challenge for companies trying to adhere to GDPR and other privacy and data protection guidelines.
“Our research shows that in a GDPR world, theimplications of inadvertently exposed data are even more significant. Countrieswithin the European Union are collectively exposing over one billion files –nearly 50% of the total we looked at globally – some 262 million more than whenwe looked at last year,” said Photon Research analyst Harrison Van Riper. “Someof the data exposure is inexcusable – Microsoft has not supported SMBv1 since2014, yet many companies still use it. We urge all organizations to regularlyaudit the configuration of their public facing services.”
More than 17 million exposed files were found to havebeen encrypted by ransomware, particularly the “NamPoHyu” variant, which accountedfor 2 million files.