More than 90 companies inadvertently exposed hundreds of thousands of documents and terabytes of data via Box, a cloud-based file-sharing system. Cybersecurity firm Adversis exposed the major security gaff and says everything from passport photos to social security and bank account numbers, prototype and design files, employee lists, and financial and IT data were revealed.
While data and documents uploaded to Box Enterprise accounts are technically private, users are able to share access via links. And Adversis found that those secret links can be easily discovered — some were even been indexed by search engines. Adversis initially planned to reach out to companies individually but quickly realized the scale of the problem went beyond that.
According to TechCrunch, Apple, the television network Discovery, flight reservation system Amadeus, nutrition company Herbalife and Opportunity International were among the companies who had their data exposed. The leaked info includes everything from customer emails and phone numbers to patient insurance information and public works project details.
To make matters worse, companies will have to secure their Box accounts themselves. Box recommends “securing shared links,” by password protecting them, limiting access to employees and running shared link reports. As Adversis says in its blog post, if your company is using Box, there’s a chance your data isn’t as secure as you might hope.