Misconfigured Box accounts lead to sensitive data leaks

Image Credit: Box (Image credit: Image Credit: Box)
Audio player loading…

Employees from dozens of major organizations have accidentally been leaking sensitive company and customer data by sharing public links to files in their Box (opens in new tab) enterprise storage accounts.

The discovery was made by the cybersecurity firm Adveris which found that major tech and corporate giants had inadvertently left company data exposed.

Data stored in a Box enterprise account is private by default but users have the ability to share files and folders with anyone through a publicly accessible link. Adveris discovered that these secret links can easily be discovered by others.

The firm found more than 90 companies with publicly accessible folders after using a script to scan for Box accounts with a list of company names.

Accidental data leaks

To make matters worse, even some of Box's own staff had accidentally leaked sensitive company data. According to the company, many organizations are not aware of the fact that the sensitive data they share can be found by others.

Box is well aware of the issue and Adveris brought attention to this fact in a blog post (opens in new tab) in which it quoted a post from the company's community portal (opens in new tab) which read:

“Creating public custom shared links for any content may result in anyone who can guess the URL gaining access to that content. To reduce risk to sensitive content, we recommend that:  Administrators configure Shared Link default access to 'People in your company' to reduce accidental creation of public (open) links by users. Administrators regularly run a shared link report (as described here) to find and manage public custom shared links. Users do not create public (open) custom shared links to content that is not intended for public consumption.”

To give some context to the gravity of this situation, Apple, Discovery television network, PR firm Edelman, nutrition giant Herbalife, the nonprofit Opportunity International, medical insurance software company PointCare and Schneider Electric all had employees that shared private links publicly using Box.

If your organization currently uses Box, it is recommended you train employees on how to properly share links or consider using a different cloud storage service altogether.

Via TechCrunch (opens in new tab)

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.