The Panama papers data leak of 2016 was, at the time, described as the largest data breach in history. The breach lead to sensitive file data being accessed freely by those who could find it, bringing into question the practices of many well-known individuals and organisations.
Since then data breaches have made regular headlines and with the impending deadline for compliance with the GDPR this trend has shown no sign of slowing; companies including Facebook are currently under investigation by the Information Commissioner’s Office (ICO) for potential data breaches. The latest breach to make headlines dwarfs the Panama papers breach, at around 4000x the size.
1.5 Billion private files publicly available
A data breach is defined as the ‘unlawful destruction, loss, alteration, unauthorised disclosure of or access to data’.
Security research firm, Digital Shadow, has discovered a huge data leak equating to over 1.5 billion files that are readily accessible online in an unencrypted format. The data which was found over the period of January to March 2018 had a range of sources including Amazon S3 buckets. The data that was exposed was from across the globe, in the US the data exposed ranged from tax returns to medical records and credit card details; over 60 million files were exposed from the UK.
The misconfiguration of storage systems led to business-critical data being leaked including a patent summary document marked as “strictly confidential” and in another case a document containing source code as part of a copyright application. While the data found in Amazon S3 buckets may have taken the focus of some headlines it only accounted for 7% of the 12 petabytes of data. As recently as February 2018, Amazon S3 buckets made headlines as FedEx customer data was exposed through the platform.
Digital Shadow CISO Rick Holland speaking on the breach, stated:
“The value of the sensitive data exposure should be a major cause of concern for any security and privacy conscious organisations. In addition, with GDPR fast-approaching, there are clear regulatory implications for any organisation with EU citizen data.”
Compliance and data breaches
This breach is not exclusive to a single organisation and while it could affect millions of people, third parties and contractors have been cited as a main source of the data. This could make it difficult for regulatory authorities to sanction those responsible. A lot has been said about compliance with data protection laws in recent months and the incoming General Data Protection Regulation is the main reason for this. The regulation will see tougher regulations for those responsible for data breaches and will increase the fines that can be given for non-compliance. A major breach like this could lead to an organisation being fined £17,000,000 or 4% of global revenue – whichever is higher.
Reducing the risk of a breach occurring is an important aspect of the GDPR and most other data protection laws. For organisations who use public cloud platforms or remote storage of any kind this is an essential element; due diligence must be done to ensure that public cloud platforms are secure enough for use. Internal processes and policies should also be updated to ensure that data protection regimes exist and are being followed in all areas of business. Human error is still one of the leading causes of breach or data loss, something that can be reduced by simply training staff on their responsibilities and the risks of a breach.
Trust in cloud
While public cloud platforms such as S3 have in part lead to data being discovered this is primarily due to platforms being misconfigured and security protocols not being correctly followed. Cloud platforms are a secure and often simple way to ensure data is protected, however the use of encryption is vital to prevent unauthorised access. Cloud platforms are increasingly being used across all areas of business including for data storage, processing activities and data protection processes such as backup, disaster recovery and archiving. Redstor has specialised in helping organisations protect and manage data since 1998, delivering cloud-first solutions to deal with the challenges of backup, recovery and archiving.
To find out more about Redstor services, see a demo of the Redstor Pro or get a free trial, get in touch today.