Apple One of 90 Companies to Accidentally Leak Sensitive Data via Box Accounts

A number of high-profile companies, including Apple, have been accidentally leaking sensitive corporate and personal information through their Box accounts, according to a new report.

The data leaks were first spotted by cybersecurity firm Adversis and reported by TechCrunch. Notably, the leak wasn’t the result of a malicious breach — it was simply poor accessibility configurations.

Box is an enterprise cloud storage and management platform. And while files uploaded to its cloud are private by default, users can share files by way of a link — a link that’s publicly accessible.

These links could then be discovered by third parties. Adversis notes that it used a script to “scan for and enumerate Box accounts with lists of company names and wildcard searches.” Some of the folders were scraped by search engines, meaning they were more easily accessible by the public.

All in all, more than 90 companies were found to have publicly accessible folders (including Box itself). And the type of data found in those folders range from routine to extremely confidential.

Adversis said it found high-profile “technology prototype and design files,” as well as employee lists, financial data, invoices, customer lists, IT data, network diagrams, and “archives of years of internal meetings.”

But that isn’t all. The cybersecurity firm also discovered “hundreds” of passport photos, Social Security numbers, passwords and even bank account information.

In Apple’s case, the Cupertino tech giant had inadvertently leaked several internal files, such as logs and regional price lists. TechCrunch notes that Apple’s leaked data wasn’t particularly sensitive.

Other companies impacted by the poor configurations include Amadeus, Discovery, Herbalife, Edelman and Pointcare. In contrast to Apple’s files, a few of these other firms had actually shared data that shouldn’t have been made public — such as customer contact information.

While the leak was originally discovered back in September, Adversis waited until now to make it public to give companies time to shore up any inadvertent data sharing.

Apple, along with other companies identified in the leak, reconfigured its enterprise accounts to prevent public access after TechCrunch reached out.

Box, for its part, said that it is taking action to prevent unintended access to files and folders stored on its platform. Mostly, that comes down to making file permission and share settings clearer to customers of its service.