Security researchers at Adversis have discovered that dozens of companies have inadvertently leaked corporate and customer data through their Box enterprise storage accounts because staff are sharing public links to their private corporate files.
According to the researchers, data stored in Box enterprise accounts is private by default, but if users share the files or folders, the data can be publicly accessible. The researchers found that when they used a script to scan for Box accounts with lists of company names and wildcard searches, they found more than 90 companies, some very well known, including Box, with publicly accessible folders.
Some of the folders contained innocuous data, but others included personal information, including passport photographs, bank account information, employee lists, Social Security numbers, and passwords.
Box responded to the discovery by stating that customers are the ones deciding the security level of their enterprise accounts, and although Box provides controls so the customers can choose the level of security they want, if users are sharing files or folders broadly, the folders may be made accessible. Box is attempting to make the security settings more clear and to educate its customers on how files and folders can be shared.
If your company uses an enterprise Box account, you may wish to consider educating your employees on the importance of not sharing the link to files or folders with others inside or outside of the company, and also to review and update your account configuration.