Box Case: Misinformed Users Led To Publicly Sharing Of Sensitive Information

Today, with the upsurge of technological advances which focus on improving data storing and management, controversy regarding leaked personal information also rises. Recently, security researchers have discovered that dozens of companies inadvertently disclosed thousands of customer data from their Box enterprise storage accounts.

Adversis, a cybersecurity firm, has done the report and published it through the firm’s annual paper claiming that during its round of investigation, the company discovered hundreds and thousands of data from Box users were exposed. Although data stored in Box enterprise accounts are private by default; users can share files and documents to almost anyone, making data accessible through a single link.

Box, founded by Aaron Levie in 2005, is a cloud content management and file sharing service for large businesses such as Apple, Discovery, Edelman, Amadeus and more. It is widely available for Windows, MacOS, and several mobile platforms.

The top reason for the exposure of private content is mainly due to employees or staffs who are sharing some individual files in their Box accounts publicly. However, Adversis refused to believe in its excuse and claimed that others could quickly discover these secret links. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found more than 90 companies with accessible folders.

Adversis also indicated on its report that some of the leaked data are passport photos, bank account, social security numbers, passwords, employee list, financial data like invoices and receipts of customers’ purchased items. It has come to the public that the company already warned Box six months after its initial disclosure, but noted that there was little improvement on the latter’s end.

Adversis advice Box to reconfigure the default access of shared links limited to “people in your company only” to reduce accidental exposure of data. However, the company continues to defend itself saying that it is not a showcase of vulnerability on their part. The disclosure of documents to outside entities is mainly because of easy guessing or force entry of Box account shared document URLs, according to Box’s management. In layman’s term, if a user is successful in guessing the URL, they can access the file quickly, and the worst part is, often these links contain sensitive data.

In the firm’s post, aside from giving tips to Box on how to firmly secure its data, Adversis also emphasized that the possibility of guessing or brute forcing Box account shared document URLs was pointed out first in June of last year but gained little attention. As a result, several significant data from private entities were leaked and could be now in the hands of someone who may use it for blackmail or personal purposes.

The thing is, these clients such as Apple, Amadeus, Discovery, Herbalife, and among others, trusted Box to manage its data and even signed a non-disclosure agreement. Despite several warnings from Adversis, the company is confident that its security system is unbreakable, but what happened now, proves that the level of security the company built is still accessible.

The case of Box opened issues on cloud storage services, where FixYa, a technical support website did a survey indicating that the top five cloud storage services such as Dropbox, Google Drive, Sugar Sync, iCloud, and Box are most concerned about security and missing files. According to Market Research Film Gartner, 36 percent of personal data was stored in these clouds. Problems with privacy settings topped the survey. Although these companies have checked and secured its privacy settings, multiple security issues still bombarded clients.

What is usually the cause of data leakage given the fact that these companies set a security system that is hard to breach?

In most cases, users do not fully understand how their files or folders can be shared without their consent. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to ‘public’ or open. The tendency is, these users are misinformed and do not have enough knowledge about the technicalities of shared links. If these companies explain clearly how the privacy settings worked or help users understand how their files or folders can be shared, then eventually, they will breed well-versed customers and reduce cases of unintentional content sharing.

Cloud-based file storage is becoming the expected method for file sharing these days both in personal devices and on the workplace. Both the company and the user or client should work hand in hand to prevent leakage of data. With reports on leaked information, companies like Box should implement strict regulation through its privacy settings regarding personal sharing of information, improve admin policies, and introduce additional controls for shared links. After all, knowledge is power; if a user and client are aware of the risk once their sensitive data are compromised, then cases of leaked information will be prevented.

About the Author

Reysel Montero
I've been contributing news since 2010, both online and print. Aside from Z6Mag, I manage independent news blogs that provide awareness on a diverse list of topics to every reader.

Be the first to comment on "Box Case: Misinformed Users Led To Publicly Sharing Of Sensitive Information"

Leave a comment

Your email address will not be published.