Security researchers at Adversis have discovered that dozens of companies have inadvertently leaked corporate and customer data through their Box enterprise storage accounts because staff are sharing public links to their private corporate files.

According to the researchers, data stored in Box enterprise accounts is private by default, but if users share the files or folders, the data can be publicly accessible. The researchers found that when they used a script to scan for Box accounts with lists of company names and wildcard searches, they found more than 90 companies, some very well known, including Box, with publicly accessible folders.

Some of the folders contained innocuous data, but others included personal information, including passport photographs, bank account information, employee lists, Social Security numbers, and passwords.

Box responded to the discovery by stating that customers are the ones deciding the security level of their enterprise accounts, and although Box provides controls so the customers can choose the level of security they want, if users are sharing files or folders broadly, the folders may be made accessible. Box is attempting to make the security settings more clear and to educate its customers on how files and folders can be shared.

If your company uses an enterprise Box account, you may wish to consider educating your employees on the importance of not sharing the link to files or folders with others inside or outside of the company, and also to review and update your account configuration.

View Original Source
Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, and complex litigation. She is a member of the Business Litigation Group and chair’s the firm’s Data Privacy and Security Team. She currently serves as general counsel to the Rhode Island Quality Institute. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations, as well as emergency data breach response and mitigation. She counsels clients on state and federal data privacy and security investigations and data breaches. Prior to joining the firm, Linn was a partner at Nixon Peabody, where she served as leader of the firm’s Privacy & Data Protection Group. She also served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.