Users of File Sharing Apps Continue to Expose Valuable Private Data, Including Tax Returns

About a year ago Intralinks revealed that it had uncovered a security issue with many consumer file sync and share applications. Issues continue to persist.


15 April 2015

fileissue1

About a year ago, Intralinks revealed that it had uncovered a security issue with many consumer file sync and share applications that, due to how they were being deployed, put users’ sensitive personal information at serious risk. One year later, we’ve found that similar issues continue to persist, raising significant concerns about how these products are being used.

Background

Like many companies, Intralinks advertises using Google Adwords, and often uses industry product or company names to determine when an ad is presented alongside a search. In 2014, when using Google Analytics to review the results of some campaigns, we inadvertently discovered the fully clickable URLs necessary to access documents in some Dropbox and Box accounts. Subsequently, we found other issues with file sharing apps, and reported our concerns to the affected companies so they could take any necessary action.

However, it’s clear that many users still don’t understand the security issues they face when sharing personal or sensitive information. Many users likely presume the data they store in file sharing apps — which may be personal data and, in some cases, may include their employers’ data — is always safe, when often it isn’t.1040 Tax Return

As a result, when we analyzed a Google Adwords campaign we ran last month, we once again found active
links to user files that could be downloaded. And, the truly scary thing is the types of files we found: in one case, we even inadvertently discovered a completed U.S. tax return that contained extensive personal and financial information, potentially sufficient to enable identity theft.

Who’s At Risk?

To be clear, we gained access to files because users of file sharing applications often don’t take steps to safeguard their data. Most file sharing apps explain how shared links can be used. Nevertheless, many users clearly don’t know or perhaps don’t understand that even if they don’t actively share a link to a file, an unsecured link could still be uncovered and their files could be accessed. With estimates of well over 400 million users of consumer file sharing apps, this is a significant issue.

Conceivably, all file sharing apps could potentially be vulnerable to this issue. Many people don’t use basic security features, like setting passwords. To compound the problem, many people use consumer file sharing apps for both personal data and company data, with no or insufficient security in place.

Even with warnings about these risks, it appears that a number of users of file sharing apps remain unaware that some free products come at a price: they don’t provide the necessary features to secure files adequately. We believe that using a file sharing app that doesn’t support robust security like authentication and password protection is, simply put, very risky.

How To Protect Your Data

Users of file sharing applications need to take more care with their data, and educate themselves about the risks. They also need to understand which products are safest to use. If you want to avoid putting your data at risk, here are steps you can take:

 

 

 

 

 

  • Check that your cloud file sharing app supports privacy settings — and use them!
    Make sure that the product you use supports “privacy” settings that ensure that only people you specifically invite will be able to access your files. The system should support authentication, requiring users to identify themselves to gain access to your files. These security features should be part of the platform you use, not an “add on” you need to integrate. If possible, make the default setting for your account the most secure setting.
  • Avoid file sharing apps that don’t support data privacy and security
    If your current file sharing service doesn’t support privacy and security settings, switch to a version or alternate product that does. Adequate security doesn’t have to mean the product will be clunky to use or expensive. And losing your files can be embarrassing, costly, and potentially damaging. (We know because we found some truly hair-raising files.)
  • Sharing pictures of your cute cat is different from sharing your tax return
    Many consumer file sharing apps are great for storing certain types of data in the cloud and for sharing non-sensitive pictures and files. But sharing sensitive data isn’t safe unless you’ve taken the right precautions. Think about how you share different types of information and make sure that your security settings match the sensitivity of your information. If you share especially sensitive data, such as financial information, then consider advanced security features like information rights management that provide full control of files and how they are accessed, even after you’ve shared them.
  • Delete old files that you don’t need anymore
    Get into the habit of deleting files once they’re no longer needed, especially if you have shared them with others. If you’ve been using a file sharing app without security enabled, we recommend deleting all of your previously posted files and reposting them to a new account that has security enabled.
  • Don’t mix work and pleasure
    Mixing work and personal files in a single account is, quite simply, a bad idea. Losing your personal data is serious enough, but losing company data can have severe consequences: lost reputation, reprimands and other professional consequences, regulatory and legal issues and even fines.


Daren Glenister

Daren Glenister

Field CTO

Daren Glenister is the Field CTO for Intralinks. In his role, he acts as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements, helping to steer Intralinks’ product road map and the evolving secure collaboration market. Daren brings over 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software having worked with many of the Fortune 1000 companies helping to turn business challenges into real world solutions.