Diligence or disaster?

While attempting to protect against viruses, organisations of all kinds are
unwittingly leaking confidential documents into the public domain.

Research published by Cylab last week discovered large numbers of confidential documents of many kinds exposed to full public view on the web. So what’s new in this? Well the irony is that these documents were posted to online virus checking services by businesses in order to verify they were safe to open.

Documents found ranged from purchase orders and invoices to CVs, personal identity and insurance documents, all of which could be used in the wrong hands to facilitate fraud at the very least. A few were even more sensitive — medical and legal documents, and in one case a military travel requisition form complete with traveller names.

Clearly the organisations submitting these documents for virus checking had recognised a genuine need, but equally clearly they had not done their homework properly before committing to a service. The Cylab report doesn’t identify the specific services it investigated, but in the T&Cs of a randomly picked service I found the following:

[Provider] analyses, publishes, and shares submitted content from users as part of providing a cybersecurity community resource and is not responsible for the content or information which may incidentally appear in such submissions or be included in automatically-generated reports.
By uploading or submitting the submitted content, excluding personal data for which you are responsible, to [provider], you grant [Provider] a non-exclusive, worldwide, royalty-free, irrevocable, fully paid up, transferable, sublicensable license to use, edit, host, store, reproduce, modify, create derivative works, communicate, publish, publicly perform, publicly display and distribute the Submitted Content, including but not limited to, free or paid offerings such as Malware databases.

The exclusion of “personal data for which you are responsible” might at first sight suggest that personal data would be expunged by the service provider before performing any of the listed public acts. However that would apparently not be a safe assumption, as the T&Cs go on to state:

If you submit the Submitted Content to the service without checking the box that states ‘do not share my sample with the community’ the entirety of the Submitted Content, including but not limited to all files, URLs, comments, queries, YARA rules, and/or other content, will be available for download by others, subject to these Terms. Regardless of whether you select ‘do not share my sample with the community’ screenshots and associated metadata data, which may incidentally reveal file contents, will still be shared with the community.” (My redactions and emphasis). And of course, personal data is not the only kind of confidential information we should worry about, nor necessarily the most significant source of harm in the wrong hands.

The worst aspect of such data leaks is that the responsible organisations are completely unaware they’re happening. But the $64k question is how this could come about. Such T&Cs are typical, so obviously lots of folks didn’t read them with due attention before signing up their businesses to the services. This implies a lack of corporate information governance that’s quite mind-boggling, but it’s becoming commonplace in the context of online business services — a cultural tendency for which I long ago coined the term ‘Fire and Forget Outsourcing’.

It’s extremely common but very dangerous to take on trust that a service provider will automatically and entirely serve your best interests. So before considering any third party service (and most particularly any apparently free of charge online service) ensure you’re equipped to do for yourself everything that’s not expressly offered as part of the service, and make yourself fully aware of the full implications of any caveats or exclusions of liability on the part of the provider. Then, rather than taking assurances on trust, establish by active enquiry how much oversight you can exercise over the service if engaged. Only if all these enquiries pass muster should the service be used for sensitive business purposes — and what business purposes aren’t sensitive in this highly competitive world?

Mike Barwise
Director, BiR