Singapore Airlines

Auto Added by WPeMatico

Dozens of companies leaked sensitive data thanks to misconfigured Box accounts

Security researchers have found dozens of companies inadvertently leaking sensitive corporate and customer data because staff are sharing public links to files in their Box enterprise storage accounts that can easily be discovered.

The discoveries were made by Adversis, a cybersecurity firm, which found major tech companies and corporate giants had left data inadvertently exposed. Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found more than 90 companies with publicly accessible folders.

Not even Box’s own staff were immune from leaking data.

The company said while much of the data is legitimately public and Box advises users how to minimize risks, many employees may not know the sensitive data they share can be found by others.

Worse, some public folders were scraped and indexed by search engines, making the data found more easily.

In a blog post, Adversis said Box administrators should reconfigure the default access for shared links to “people in your company” to reduce accidental exposure of data to the public.

Adversis said it found passport photos, bank account and Social Security numbers, passwords, employee lists, financial data like invoices and receipts and customer data among the data found. The company contacted Box to warn of the larger exposures of sensitive data, but noted that there was little overall improvement six months after its initial disclosure.

“There is simply too much out there and not enough time to resolve each individually,” he said.

Adversis provided TechCrunch with a list of known exposed Box accounts. We contacted several of the big companies named, as well as those known to have highly sensitive data, including:

  • Amadeus, the flight reservation system maker, which left a folder full of documents and application files associated with Singapore Airlines. Earlier this year, researchers found flaws that made it easy to change reservations booked with Amadeus.
  • Apple had several folders exposed, containing what appeared to be non-sensitive internal data, such as logs and regional price lists.
  • Television network Discovery had more than a dozen folders listed, including database dumps of millions of customers names and email addresses. The folders also contained some demographic information and developer project files, including casting contracts and notes and tax documents.
  • Edelman, the global public relations firm, had an entire project proposal for working with the New York City mass transit division, including detailed proposal plans and more than a dozen resumes of potential staff for the project — including their names, email addresses, and phone numbers.
  • Nutrition giant Herbalife left several folders exposed containing files and spreadsheets on about 100,000 customers, including their names, email addresses and phone numbers.
  • Opportunity International, a nonprofit aimed at ending global poverty, exposed in a massive spreadsheet a list of donor names, addresses and amount given.
  • Schneider Electric left dozens of customer orders accessible to anyone, including sludge works and pump stations for several towns and cities. Each folder had an installation “sequence of operation” document, which included both default passwords and in some cases “backdoor” access passwords in case of forgotten passwords.
  • PointCare, a medical insurance coverage management software company, had thousands of patient names and insurance information exposed. Some of the data included the last four digits of Social Security numbers.
  • United Tissue Network, a whole-body donation nonprofit, exposed body donor information and personal information of donors in a vast spreadsheet, including the prices of body parts.

Box, which initially had no comment when we reached out, had several folders exposed. The company exposed signed non-disclosure agreements on their clients, including several U.S. schools, as well as performance metrics of its own staff, the researchers said.

Box spokesperson Denis Roy said in a statement: “We take our customers’ security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or ‘open’. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.”

The cloud giant said it plans to reduce the unintended discovery of public files and folders.

Amadeus, Apple, Box, Discovery, Herbalife, Edelman and PointCare all reconfigured their enterprise accounts to prevent access to their leaking files after TechCrunch reached out.

Amadeus spokesperson Alba Redondo said the company decommissioned Box in October and blamed the exposure on an account that was “misconfigured in public mode,” which has now been corrected and external access to it is now closed. “We continue to investigate this issue and confirm there has been no unauthorized access of our system,” said the spokesperson, without explanation. “There is no evidence that confidential information or any information containing personal data was impacted by this issue,” the spokesperson added.

When we asked Amadeus how it concluded there was no improper access, another spokesperson, Ben Hunt, said: “We have the full audit trail for Box and access of these files — none of the files have been downloaded outside of either Amadeus or authorized customers.”

The spokesperson declined to explain its statement when told files were downloaded to verify their contents.

PointCare chief executive Everett Lebherz confirmed its leaking files had been “removed and Box settings adjusted.” Edelman’s global marketing chief Michael Bush said the company was “looking into this matter.”

Herbalife spokesperson Jennifer Butler said the company was “looking into it,” but we did not hear back after several follow-ups. (Butler declared her email “off the record,” which requires both parties agree to the terms in advance, but we are printing the reply as we were given no opportunity to reject the terms.)

When reached, an Apple spokesperson did not comment by the time of publication.

Discovery, Opportunity International, Schneider Electric and United Tissue Network did not return a request for comment.

Data “dumpster diving” is not a new hobby for the skilled, but it’s a necessary sub-industry to fix an emerging category of data breaches: leaking, public and exposed data that shouldn’t be. It’s a growing space that we predicted would grow as more security researchers look to find and report data leaks.

This year alone, we’ve reported data leaks at Dow Jones, Rubrik, NASA, AIESEC, Uber, the State Bank of India, two massive batches of Indian Aadhaar numbers, a huge leak of mortgage and loan data and several Chinese government surveillance systems.

Adversis has open-sourced and published its scanning tool.

Powered by WPeMatico

Meet the startups in the latest Alchemist class

Alchemist is the Valley’s premiere enterprise accelerator and every season they feature a group of promising startups. They are also trying something new this year: they’re putting a reserve button next to each company, allowing angels to express their interest in investing immediately. It’s a clever addition to the demo day model.

You can watch the live stream at 3pm PST here.

Videoflow – Videoflow allows broadcasters to personalize live TV. The founding team is a duo of brothers — one from the creative side of TV as a designer, the other a computer scientist. Their SaaS product delivers personalized and targeted content on top of live video streams to viewers. Completely bootstrapped to date, they’ve landed NBC, ABC, and CBS Sports as paying customers and appear to be growing fast, having booked over $300k in revenue this year.

Redbird Health Tech – Redbird is a lab-in-a-box for convenient health monitoring in emerging market pharmacies, starting with Africa. Africa has the fastest growing middle class in the world — but also the fastest growing rate of diabetes (double North America’s). Redbird supplies local pharmacies with software and rapid tests to transform them into health monitoring points – for anything from blood sugar to malaria to cholesterol. The founding team includes a Princeton Chemical Engineer, 2 Peace Corps alums, and a Pharmacist from Ghana’s top engineering school. They have 20 customers, and are growing 36% week over week.

Shuttle – Shuttle is getting a head start on the future of space travel by building a commercial spaceflight booking platform. Space tourism may be coming sooner than you think. Shuttle wants to democratize access to the heavens above. Founded by a Stanford Computer Science alum active in Stanford’s Student Space Society, Shuttle has partnerships with the leading spaceflight operators, including Virgin Galactic, Space Adventures, and Zero-G. Tickets to space today will set you back a cool $250K, but Shuttle believes that prices will drop exponentially as reusable rockets and landing pads become pervasive. They have $1.6m in reservations and growing.

Birdnest – Threading the needle between communal and private, Birdnest is the Goldilocks of office space for startups. Communal coworking spaces are accessible but have too many distractions. Traditional office spaces are private but inflexible on their terms. Birdnest brings the best of each without the drawbacks: finding, leasing, and operating a network of underutilized spaces inside of private offices. The cofounders, a duo of Duke and Kellogg MBA grads, are at $300K ARR with a fast-growing 50+ client waitlist.

Tag.bio – Tag.bio wants to make data science actionable in healthtech. The founding team is comprised of a former Ayasdi bioinformatician and a former Honda Racing engineer with a Stanford MBA. They’ve developed a next-generation data science platform that makes it easy and fast to build data apps for end users, or as they say, “WordPress for data science.” The result they claim is lightning-fast analysis apps that can be run by end users, dramatically accelerating insight discovery. They count the UCSF Medical Center and a “large Swiss pharma company” as early customers.

nCorium – They’ve built a new server architecture to handle the onslaught of AI to come with what they claim is the world’s first AI accelerator on memory to deliver 30x greater performance than the status quo. The quad founding team is intimidatingly technical — including a UCSD Professor, and former engineers from Qualcomm and Intel with 40 patents among them. They have $300K in pilots.

Spiio – Software eats landscaping with Spiio, which combines cloud-driven AI with physical sensors to monitor watering and landscaping for big companies. Their smart system knows when to water and when not to. This reduces water consumption by 50%, which means their system pays for itself in less than 30 days for big companies. They want to connect every plant to the internet, and look like they are off to a good start — $100K in orders from brand name Valley tech firms, and they are doubling monthly.

Element42 – Fraud is a major problem — For example, if you buy a Rolex on eBay, you run the risk of winding up with a counterfeit. Started by ex-VPs from Citibank, the founders are using risk models and technologies that banks use to help brands combat fraud and counterfeiting. Designed with token economics, they also incentivize customers to buy genuine products by serving exclusive content and promotions only to genuine product holders. Built on blockchain at the core, they claim to be the world’s first peer-to-peer authentication platform for physical assets. They have 45 customers across two industry verticals, 800K in ARR and are a member of World Economic Forum’s global initiatives against corruption.

My90 – Distrust between the public and the police has rarely been more strained than it is today. My90 wants to solve that by collecting data about interactions between the police and the public—think traffic stops, service calls, etc.—and turn these into actionable intelligence via an online analytics dashboard. Users text My90 anonymously about their interactions, and My90’s dashboard analyzes the results using natural language processing. Customers include major city police departments like the San Jose Police Department and the world’s largest community policing program. They have booked $150K in pilots and are expanding aggressively across the US.

Nunetz – A Stanford Computer Science grad and UCSF Neurosurgeon have come together to try to build a single unifying interface to replace the deluge of monitors and data sources in today’s clinical health environment. The goal is to prepare a daily “battle map” for physicians, nurses, and other providers, with an initial focus on the Intensive Care Unit (ICU). They have closed 3 paid pilots with hospitals through grants.

When Labs – If you hate managing people, When Labs wants to unburden you. Using an AI-powered assistant that texts with employees to negotiate assignments for hourly work, WhenLabs is trying to free customers like Hilton from spending money on managers who would normally do this manually. As the system gets smarter, they claim employees will prefer interfacing with their AI bot more than a human. AI and HR is a crowded space, but this might be the team to separate from the pack: the founding team’s previous company had a 9 figure exit to IBM.

FirstCut – FirstCut helps businesses put video content out at scale. Video dominates social media — it creates 10x more comments than text — and is emerging as a necessity for B2B media. But putting video out if you are a B2B marketer normally requires using agencies that charge hefty fees. FirstCut wants to disrupt the agencies with software and marketplaces. They use software automation and an on-demand talent marketplace to offer a fixed price product for video content. They are at $180k revenue, and most of it is moving to recurring subscriptions.

LynxCare – LynxCare claims that 90% of healthcare data goes untapped when doctors make critical decisions about your life. Further, they claim the average person’s life could be extended by 4 years if that data can be converted into insights. Their team of clinicians and data scientists aims to do just that — building a data platform that aggregates disparate data sets and drive insight for better clinical outcomes. And it looks like their platform has fans: they are active in 9 hospitals, count Pharma companies like Pfizer as Partners, and grew 4x over the past year and now are at $800K ARR.

ADIAN – Adian is a B2B SaaS product that digitizes the complex agrochemical supply chain in order to improve the sales process between manufacturers and distributors. The company claims manufacturers reduce costs by 20% and increase sales by 4% by using their online framework. $1.5 Billion and 70,000 orders have gone through the platform to date.

Hardin Scientific – Hardin is building IoT-enabled, Smart Lab Equipment. The hardware becomes a gateway to become the hub for monitoring, controlling, and sharing scientific data across teams. They’ve closed over $1.5m in revenue, and raised $15m in equity and debt financing. One of their smart devices is being used to 3D print bio-tissues and human organs in space.

ZaiNar – This team of 5 Stanford grads — 3 PhD’s and 2 MBAs — joined up with the Co-Founder of BlueKai to build the world’s best time synchronization technology. ZaiNar claims their ability to wirelessly synchronize and distribute time between networked devices is a thousand times better than existing technologies. This enables them to locate RF-emitting devices (i.e. phones, cars, drones, & RFID) at long distances with sub-meter accuracy. Beyond location, this technology has applications across data transmission, 5G communications, and energy grids. ZaiNar has raised a $1.7 million seed from AME Cloud and Softbank, and has built an extensive patent portfolio.

SMART Brain Aging – This startup claims to reduce the onset of dementia by 2.25 years with software. They are the only company approved by Medicare to get reimbursed on a preventative basis for the treatment of dementia. In conjunction with Harvard University, they have developed 20,000 exercises that are clinically proven to reduce the onset of dementia and, they claim, help build neurotransmitters. The company works with 300 patients per week ($2.2 million annual revenue) and is building to a goal of helping 22,000 people in 24 months.

Phoneic – Phoneic believes the data trapped in voice calls from cellphones is a gold mine waiting to be unleashed. Their app records and transcribes cell phones conversations, and the company has built an integration layer to enterprise AI and CRM systems that traditionally didn’t have access to voice data. The team is led by the co-founder of 3jam, one of the first group SMS and virtual number companies, which was acquired by Skype in 2011. He is keenly aware of the power of virality — and like Skype, the use of Phoneic spreads its adoption. The company has already raised $800,000 in seed funding.

Arkose Labs – Whether or not you think Russia interfered with the 2016 election, it’s no secret that bots are having significant impact on society. Arkose Labs wants to fight fraud, without adding friction to legit users. Most fraud prevention platforms today focus on gathering info from the user and providing a probability score that the traffic is good or bad. This leaves companies with a difficult decision where they may be blocking revenue generating users. Arkose has a different approach, and uses a bilateral approach that doesn’t force this tradeoff. They claim to be the only solution to offer a 100% SLA on fraud prevention. Big companies like Singapore Airlines and Electronic Arts are customers. USVP led a $6 million investment into the company.

Powered by WPeMatico