Box Data Leaks – Location-Based Security Failure Impacts 90 Companies


3 Reasons security based on location in not good enough

Another day, another data leak with the sensitive corporate and customer data from over 90 companies, including Apple, Box and Discovery Network, exposed due to the incorrect use of public sharing links in the Box enterprise storage platform. This time ‘leak’ is the more appropriate term than breach as the data was inadvertently exposed by employees sharing public links to files in their Box accounts that was subsequently easily discovered. This discovery underscores why organizations need to adopt a more mature data-centric security approach to protecting their sensitive data than just relying on securing the container that content resides in.

The leaks were not caused by a flaw in Box as the ability to publicly share a folder and its contents with anyone via a simple link is a primary feature. When used properly it’s a very useful collaboration tool. In fact, it’s a common capability found in most collaboration platforms. Improper usage however can have series data privacy and exposure repercussions as these leaks at over 90 unsuspecting companies demonstrate.

Let’s look at the three key reasons why a location-based security approach is fatally flawed.

1.  Securing the data repository doesn’t fully protect the content

It’s an approach that’s been around almost since the dawn of time when it comes to protecting what is valuable to us. Whether personal possessions, money, or – in this case – sensitive data, we put them in a location that we attempt to make safe by making it difficult for someone to access – usually by hiding it and securing it with some type of lock. In the IT world that of course means keeping the data in a network location that is not accessible by just anyone and securing it with access controls like permissions.

Once the repository is discovered the next challenge is to overcome the lock. In these instances, there was no lock as the folders were set to the public sharing with the ‘anyone who had a link’ setting. In the Box incidents the discovered folders contained sensitive data such as:

  • Passport Photos
  • Social Security and Bank Account Numbers
  • High profile technology prototype and design files
  • Employees lists
  • Financial data, invoices, internal issue trackers
  • Customer lists and archives of years of internal meetings
  • IT data, VPN configurations, network diagrams

Even folders belonging to Box itself were discovered containing sensitive data that included signed NDAs for customers and performance reports for Box employees.

These data leaks show why securing just the collaboration repository alone is a weak first line of defense. With Cloud storage, repositories are no longer hidden behind a firewall or buried within a corporate network but instead are on the internet. While the location of these repositories is not often readily available to the general public, some of these folders in this incident were being scraped and indexed by Search Engines and could be easily found with a little know how. Adversis, the company that found leaks, detailed their alarmingly simple approach for finding the exposed Box data troves in a blog.

The ultimate IT security goal is to protect your data so why do most organizations only focus on applying security to the folder or repository? I’ll discuss a data-centric approach later, but first let’s look at the second reason that the current approach fails.

2.  Data and users are in a constant state of movement and change

In the not too distant past, we used to go to an office during standard business hours to do our work. We tended to work mostly with the people that were in the same location as us. Today, many of us work remotely from almost anywhere at any time, with colleagues doing the same thing. There is an argument that there is no longer such a thing as standard business hours. Even if a daily commute to an office is still the norm for your employees its very likely that they need or want to access their work-related data outside office hours and locations. This changing workplace dynamic is one of the reasons that cloud-based collaboration tools became so popular in the first place.

Just as our users change over time, so does the data that they interact with. As the content within the data changes, so does the associated level of sensitivity. A file may not start off as sensitive in nature but as data such as personally identifiable information (PII) is added, it needs to be treated differently.

However, if security is based on the location of sensitive data how can you ensure that as it evolves it is then moved to the correct location? Worse, as it is accessed, shared or downloaded how can you ensure that it is being handled appropriately if the protection ended at the folder or data repository perimeter? This is important to consider with new data regulations such as GDPR extending to legitimate and correct use for handling sensitive data, holding organizations accountable for more than just securing the content at rest in its repositories.

3.  Human error – Users make mistakes

The data of all 90 companies was leaked due to incorrect use and misconfiguration of the collaboration tool as opposed to a flaw within Box. But the fact is – people make mistakes. McKinsey and others have shown that user error is responsible for between around 20-30% of all data breaches. And this is just one example of the types of simple error that happen every day.

Here’s a few more common scenarios:

  • In a previous post I talked about the scenario where people share sensitive data with someone that they know should not have access to it. The all too familiar email that starts “I’m not supposed to send you this but…”.
  • Another familiar scenario is when the wrong file is shared either via the file sharing platform or by email attachment.
  • Or when the wrong recipient is chosen to share/send the file to.
  • Another scenario that happened to me just last week was being copied into a collaboration stream that should have remained internal to that company. Before you ask, I of course notified them of their mistake and kept their secret safe, but this shows how easy it is to do.

Reliance on “secure” locations once again fails when it comes to protecting against these scenarios. Users are usually not being malicious or deliberately trying to damage their own organization – human error is a common side effect of the modern collaboration environment that we operate in.

What should you do instead to better protect data?

An effective security model must take a balanced user and data-centric approach to protecting sensitive data. The collaboration tools themselves cannot take center stage with the security mechanisms, but instead must work in tandem with technologies that maintain security long after the data has left the confines of the repository. To do this successfully organizations need to adopt data-centric security to provide adequate protection for modern collaboration.

Four tips for successful data-centric security

  1. Security is more than set and forget permissions on a folder – Data-centric security emphasizes the security of the data itself rather than the security of networks, servers, repositories or applications. If security is placed on the data, then it travels with the file no matter where it goes or who it is shared with. And modern data-centric security tools can also look at the file contents and context to make intelligent decisions on how the data can be shared and with whom.
  2. Address changing risk profiles – A successful security strategy must look at data on a continuous basis to account for how information and its associated access attributes change over time. You need to assess the risk profile associated with the data and use case – and then consider the security that should be applied in each scenario. For example, consider a user accessing a file from their personal device from a public location. Should the user be limited to read only access if it’s sensitive data? Or perhaps the document is so sensitive you don’t want to provide remote mobile access to it at all.
  3. It’s not just about a lack of user education – As mentioned above, even the Box organization was not immune to the leaks. You would expect their users to be familiar with how to appropriately use their own tools. Technology exists to effectively eliminate user error to protect both sensitive data and your people – two of your most valuable assets. The stakes are just too high to accept a strategy that is full of holes and caveats. And the excuse of it being a matter of trust in your employees is a little naive. Unfortunately, there are sometimes abuses of trust, but remember that trust goes both ways. Organizations have a responsibility to uphold the trust that their employees place in them to provide reasonable protection for when things go wrong.
  4. Balancing collaboration wants of users with the security needs and obligations of the organization. A successful data-centric strategy keeps the right balance between what users want from a collaboration perspective and what the organization demands from a security perspective. Go too far in either direction and you can make your situation worse. Too lax and your data can be shared far too freely. Too stringent and your users find an alternative way to share and collaborate. In either situation you lose visibility and control of your sensitive data.

These 4 tips are the keys to a successful data-centric security strategy. It’s about recognizing how your users work and collaborate, the level of data sensitivity and creating policies based on those factors. Then you must apply the right data-centric security technology to dynamically match those scenarios and enforce data protection needs.

Learn more about how to effectively implement a data-centric security strategy.