One full year has passed since Digital Shadows’ Photon Research Team looked at the data exposure landscape among online file storage technologies like Server Message Block (SMB) file shares, rsync servers, and Amazon Simple Storage Service (S3) buckets. There are now 750 million more files exposed than we reported last year; not all of them are blatantly sensitive, but there is plenty of gold in these mountains. Several developments over the past year have had an effect—positive and negative—on the data exposure landscape, prompting Photon to re-examine what files are still exposed and updates within the landscape. Case studies throughout this paper highlight some of the most alarming information we were able to find.
Some of our key findings:
- Overall, we detected 2.3 billion files exposed across SMB-enabled file shares, misconfigured network-attached storage (NAS) devices, File Transfer Protocol (FTP) and rsync servers, and Amazon S3 buckets.
- The United States held onto its most-data-exposed title (more than 326 million files), although France and Japan lead their regions, with 151 million and 77 million files exposed, respectively.
- Similar to last year, the SMB protocol exposed the most data among the technologies we analyzed. FTP and rsync servers claimed 20 percent and 16 percent of the exposure detected, respectively.
- Threat actors are actively attempting to exploit this exposure. We discovered that over 17 million files across these online file repositories, which are often used for backing up data, had been encrypted by ransomware, 2 million of them linked to “NamPoHyu”, a variant of the “MegaLocker” ransomware.
- Amazon’s new feature Block Public Access was introduced in November 2018 and has reduced the overall exposure of S3 buckets to a nearly unrecognizable amount. Having found 16 million files coming from S3 buckets in October 2018, we’re now seeing fewer than 2,000 such exposed files.
- There are already two success stories following the General Data Protection Regulation (GDPR) being enacted in the European Union (EU): Luxembourg and the Netherlands have reduced their overall exposure and have national laws in place to implement GDPR. So far, they are the only two EU countries to do so; France, which has the greatest exposure among EU member countries, has yet to fully align to the GDPR at a national level.
- The problem of inadvertent data exposure is not an impossible one to solve. We outline several technical mitigation steps you can take to use these file storage technologies safely and efficiently. And as with anything information security related, educating technology users is another, vital step.