A new report from cybersecurity startup Digital Shadows Ltd. today has found a staggeringly large number of files exposed on the internet.

Undertaken by the company’s Photon Research Team, the “Too Much Information: The Sequel” study assessed the scale of inadvertent global data exposure and found 2.3 billion private files exposed across online file stores that should not have been.

The exposed data included passport scans and bank statements as well as business information such as credentials to company systems.

An increase of 750 million files since the same study was undertaken last year, the highest number of exposed records was found in the U.S. at 326 million. That was followed by Germany with 121 million records and the U.K. with 98 million. The last two are notable as the exposed data would be in breach of Europe’s General Data Protection Regulation.

The study found that the most common cause of data exposure is the misconfiguration of commonly used file storage technologies, with nearly 50% of the files found to be exposed via the Server Message Block protocol. FTP came in at 20%, rsync at 16%, while surprisingly, despite near-constant media reports, misconfigured Amazon Web Services Inc. instances accounted for only 8% of exposed data.

“Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant,” Photon Research Analyst Harrison Van Riper said. “Countries within the European Union are collectively exposing over one billion files – nearly 50% of the total we looked at globally – some 262 million more than when we looked at last year. Some of the data exposure is inexcusable – Microsoft has not supported SMBv1 since 2014, yet many companies still use it. We urge all organizations to regularly audit the configuration of their public facing services.”

Digital Shadows advised enterprise to take simple steps to make sure and then double-check that the data they’re hosting is secure.

The advice includes using Amazon S3 Block Public Access to limit public exposure of buckets; disabling SMBv1 and for systems which require the protocol, update to SMBv2 or v3; IP whitelisting to enable only those systems that are authorized to access shares; disabling port 837 to restrict access to rsync; and finally, using Secure FTP as opposed to standard FTP.

Photo: Pxhere