Users
of File Sharing Apps Continue to Expose Valuable Private Data, Including Tax
Returns
Intralinks recently has published a new article, saying that it was still (almost 18 months after first making the issue known to Dropbox) receiving links to information that Dropbox users clearly did not intend to fall into unauthorised hands.
About a year ago, Intralinks revealed that it had
uncovered a security issue with many consumer file sync and share applications
that, due to how they were being deployed, put users’ sensitive personal
information at serious risk. One year later, we’ve found that similar issues
continue to persist, raising significant concerns about how these products are
being used.
Background
Like many companies, Intralinks
advertises using Google Adwords, and often uses industry product or company
names to determine when an ad is presented alongside a search. In 2014, when
using Google Analytics to review the results of some campaigns, we
inadvertently discovered the fully clickable URLs necessary to access documents
in some Dropbox and Box accounts. Subsequently, we found other issues with file
sharing apps, and reported our concerns to the affected companies so they could
take any necessary action.
However, it’s clear that many users
still don’t understand the security issues they face when sharing personal or
sensitive information. Many users likely presume the data they store in file
sharing apps — which may be personal data and, in some cases, may include
their employers’ data — is always safe, when often it isn’t.
As a result, when we analyzed a
Google Adwords campaign we ran last month, we once again found active
links to user files that could be downloaded. And, the truly scary thing is the types of files we found: in one case, we even inadvertently discovered a completed U.S. tax return that contained extensive personal and financial information, potentially sufficient to enable identity theft.
links to user files that could be downloaded. And, the truly scary thing is the types of files we found: in one case, we even inadvertently discovered a completed U.S. tax return that contained extensive personal and financial information, potentially sufficient to enable identity theft.
Who’s At Risk?
To be clear, we gained access to
files because users of file sharing applications often don’t take steps to
safeguard their data. Most file sharing apps explain
how shared links can be used. Nevertheless, many users clearly don’t know or
perhaps don’t understand that even if they don’t actively share a link
to a file, an unsecured link could still be uncovered and their files could be
accessed. With estimates of well over 400 million users of consumer file
sharing apps, this is a significant issue.
Conceivably, all file sharing apps
could potentially be vulnerable to this issue. Many people don’t use basic
security features, like setting passwords. To compound the problem, many people
use consumer file sharing apps for both personal data and company data, with no
or insufficient security in place.
Even with warnings about these
risks, it appears that a number of users of file sharing apps remain unaware
that some free products come at a price: they don’t provide the necessary
features to secure files adequately. We believe that using a file sharing app
that doesn’t support robust security like authentication and password
protection is, simply put, very risky.
How To Protect Your Data
Users of file sharing applications
need to take more care with their data, and educate themselves about the risks.
They also need to understand which products are safest to use. If you want to
avoid putting your data at risk, here are steps you can take:
- Check that your cloud file sharing app supports privacy
settings — and use them!
Make sure that the product you use supports “privacy” settings that ensure that only people you specifically invite will be able to access your files. The system should support authentication, requiring users to identify themselves to gain access to your files. These security features should be part of the platform you use, not an “add on” you need to integrate. If possible, make the default setting for your account the most secure setting. - Avoid file sharing apps that don’t support data privacy
and security
If your current file sharing service doesn’t support privacy and security settings, switch to a version or alternate product that does. Adequate security doesn’t have to mean the product will be clunky to use or expensive. And losing your files can be embarrassing, costly, and potentially damaging. (We know because we found some truly hair-raising files.) - Sharing pictures of your cute cat is different from
sharing your tax return
Many consumer file sharing apps are great for storing certain types of data in the cloud and for sharing non-sensitive pictures and files. But sharing sensitive data isn’t safe unless you’ve taken the right precautions. Think about how you share different types of information and make sure that your security settings match the sensitivity of your information. If you share especially sensitive data, such as financial information, then consider advanced security features like information rights management that provide full control of files and how they are accessed, even after you’ve shared them. - Delete old files that you don’t need anymore
Get into the habit of deleting files once they’re no longer needed, especially if you have shared them with others. If you’ve been using a file sharing app without security enabled, we recommend deleting all of your previously posted files and reposting them to a new account that has security enabled. - Don’t mix work and pleasure
Mixing work and personal files in a single account is, quite simply, a bad idea. Losing your personal data is serious enough, but losing company data can have severe consequences: lost reputation, reprimands and other professional consequences, regulatory and legal issues and even fines.