Network security company Adversis found that the employees’ dozens of companies openly share the cloud disk service Box enterprise storage account file links, and inadvertently leaked sensitive business and customer data.
Although the default data stored in the Box corporate account is called private, users can share files or folders with anyone, so they only need a link to make public access to these files. But Adversis said that these secret links can also be discovered by others. Using script scanning and enumeration, Adversis found that folders from more than 90 companies are publicly accessible.
The company said that while most of the data is legally open, the company also sends recommendations to users to help them minimize risk. But many employees may not know that sensitive data is being shared and can even be found by others. Worse, some public folders can also be indexed by search engines, making information more discoverable.
The leaked info include
- Hundreds of Passport Photos
- Social Security and Bank Account Numbers
- High profile technology prototype and design files
- Employees lists
- Financial data, invoices, internal issue trackers
- Customer lists and archives of years of internal meetings
- IT data, VPN configurations, network diagrams
Adversis said Box should reconfigure the default shared the link to “people in your company” to reduce the probability of accidentally exposing sensitive information.