July 17, 2019

July 16, 2019

Subscribe to Latest Legal News and Analysis

July 15, 2019

Subscribe to Latest Legal News and Analysis

Misconfigured Box Accounts Can Expose Data

Security researchers at Adversis have discovered that dozens of companies have inadvertently leaked corporate and customer data through their Box enterprise storage accounts because staff are sharing public links to their private corporate files.

According to the researchers, data stored in Box enterprise accounts is private by default, but if users share the files or folders, the data can be publicly accessible. The researchers found that when they used a script to scan for Box accounts with lists of company names and wildcard searches, they found more than 90 companies, some very well known, including Box, with publicly accessible folders.

Some of the folders contained innocuous data, but others included personal information, including passport photographs, bank account information, employee lists, Social Security numbers, and passwords.

Box responded to the discovery by stating that customers are the ones deciding the security level of their enterprise accounts, and although Box provides controls so the customers can choose the level of security they want, if users are sharing files or folders broadly, the folders may be made accessible. Box is attempting to make the security settings more clear and to educate its customers on how files and folders can be shared.

If your company uses an enterprise Box account, you may wish to consider educating your employees on the importance of not sharing the link to files or folders with others inside or outside of the company, and also to review and update your account configuration.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.


About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...