Accidental Data Leaks: A Serious Concern for Businesses
In today’s connected world, businesses are tasked with protecting themselves against an ever-increasing range of cybersecurity threats. Even though cyberattacks are usually perpetrated by intentionally malicious attackers, employees can accidentally create similar damage. These types of breaches are commonly referred to as accidental data leaks. While they do not typically involve malicious intent, they can still cause irreparable damage to an organization.
Accidental data leaks come in all shapes and sizes. However, most involve employees giving third parties or the wider Internet too much access to data. Although this sounds like a trivial issue to stop, organizations worldwide have lost hundreds of millions of dollars over the years due to these breaches.
Below are some of the most common kinds of accidental data leaks, along with real-world cases, and also suggestions on how to prevent them.
1. Cloud Storage Leaks
Companies throughout the world rely on cloud storage services (such as Amazon S3, Azure Blob Storage, or Google Cloud Storage) to store data ranging from sensitive documents to server backups. These services scale to nearly unlimited capacity, offer granular access control, and make backups and compliance easy.
Many IT infrastructure setups involve third-party software (like ERP or CRM tools) with access to data stored in these repositories. While cloud storage providers offer a vast array of identity and access management tools to restrict access to particular people and software, many businesses unintentionally leave their cloud storage accessible to the wider Internet.
Even productivity-oriented cloud storage options that are intended to offer secure collaboration, for example, OneDrive and Google Drive, can be used to leak data. These productivity suites offer “public on the Internet” sharing settings, which some employees use to share information with internal or external collaborators when the better choice is more restrictive access.
In 2017, Booz Allen Hamilton, a major US defense contractor, left an Amazon S3 bucket open, leaking gigabytes of battlefield satellite and drone imagery. Additionally, attackers managed to gather administrator remote access credentials from the storage solution. That same year, Dow Jones, the parent company of The Wall Street Journal, accidentally leaked the anti-money-laundering financial data of over two million customers.
Both data leaks could have been prevented by implementing a better cloud security configuration. This involves enabling restricted access to cloud storage buckets with granular, rather than universal permissions, in addition to identity and access management to give access only to authorized users and service accounts.
2. Third Party Vendor Leaks
The massive 2013 Target data breach, in which hundreds of millions of consumers’ financial information was stolen, resulted from the company not walling off its vendor access portal adequately from the rest of its network. In this attack a hacker compromised one of Target’s refrigeration vendor’s systems through a phishing email, which in turn allowed them to successfully initiate the attack against Target.
The principle of least privilege applies especially to vendors and third parties. If organizations give external vendors privileged access to their systems, then they are effectively betting that those vendors will not be compromised. External vendors should have only the right amount of access to do their jobs without causing severe issues if they or their own vendors are compromised.
One easy way to find the most limited set of privileges is to create a test account and continue adding permissions until it can effectively perform its duties. It is far easier to add another permission later on than to risk a cyberattack.
3. Physical Device Compromise Leak
In 2005, someone stole an Ameriprise Financial laptop containing the data of over 230,000 customers and financial advisers by breaking into an employee’s parked car. According to an Ameriprise Financial spokesperson, the thief likely did not know that the laptop contained sensitive data.
Regardless of how good an organization’s network and cloud security is, physically compromised devices can be used to leak even the most sensitive data. Businesses should use full-disk encryption on all endpoints along with endpoint detection and response (EDR) or mobile device management (MDM) to wipe systems remotely if lost or stolen.
4. Hosted Code Repository Leaks
Hosted version control code repositories, such as GitHub, are popular choices for organizations that need to collaborate on code or IT configuration data. While the underlying Git version control tool provides mechanisms to exclude sensitive data from public repositories, many companies still unintentionally leak credentials, API keys, and even personally identifiable customer information.
In early 2020, Rogers Communications mistakenly exposed passwords, secret keys, and other sensitive information in a set of public GitHub accounts. The accounts, which were owned by an employee who had since left the company, were made public long before the company discovered the data leak.
To verify that public data does not include secrets, organizations should enable GitHub’s secret scanning feature. Organizations that do not use GitHub can use a more general, but complex, solution from AWS.
5. External Storage Device Leaks
USB flash drives, external hard drives, and file-syncing tools, like Dropbox, are convenient ways for employees to transfer data from one machine to another. However, they also pose significant security risks. Similar to laptops or smartphones without full-disk encryption, flash drives and other insecure storage devices can be stolen and exfiltrated with ease.
According to the 2015 SolarWinds Federal Cybersecurity Survey, 44% of IT professionals found “data copied to external devices” to be the top accidental insider threat. Although the benefits of restricting insecure storage are clear, employees may find workarounds unless IT departments provide equally convenient and more secure options, such as an officially endorsed network shares or business cloud storage.
Secure Your Business
Most accidental data leaks look similar: a well-meaning employee places a high amount of trust in external parties or fails to adequately protect a resource. Despite the lack of malice involved in an accidental data leak, companies suffer fallout just as if they were hit by a sophisticated cyberattack.
To help prevent accidental data leaks, companies should combine robust security policies that can prevent risky employee behaviors with continuous employee security training.
Outsource IT has extensive experience in helping businesses navigate the ever-changing landscape of information security. No matter what kinds of IT tools and services your business uses, Outsource IT can help protect your vital business data. Contact your Outsource IT account manager to learn more about our business IT security services.