Cloud-based online services are useful tools for many enterprises, allowing them to coordinate their teams, share information and enable discussions within groups. However, companies should be sharply aware of how they manage their privacy settings for these services before discussing business critical matters or uploading sensitive data.
It seems that many Japanese organizations have learned this the hard way. A Japanese newspaper found more than 6,000 cases where public and private organizations exposed internal communications by using the default Google Groups privacy settings. Keeping the default settings allowed for public access to discussion threads rather than making them only accessible to pre-approved members. The newspaper found that hospitals and schools posted records on their patients and students and at least one political party exposed a list of its supporters. In fact, the newspaper itself admitted that its journalists made the same mistake, potentially revealing draft news reports and interview transcripts to the world.
The Japanese government was also involved in this and admitted that officials accidently posted internal memos publicly simply because they used the wrong privacy settings for Google Groups online discussions. This included details on planned negotiations on an international mercury trade treaty along with discussions about this between Swiss and Norwegian environmental ministries. The Japanese environmental ministry’s spokesperson said that while the internal documents were not confidential, it has since taken corrective steps to protect its data.
There have been cases in the past where, even if the cloud service provider has set its default settings to private, users seemingly inadvertently set them to public and exposed data. As a result, more than 12 thousand data buckets were uncovered and almost 2 thousand were visible to the public. The buckets included 126 billion files which included data from social networks, sales records, video game source code and unencrypted database backups.
These cases show how easily sensitive data can be exposed simply by human error as opposed to malicious attack. The fact that this error was so widespread is worrying and suggests that many simply assumed that their communications were private, rather than checking to see for themselves. Before using any communications tool, always check the privacy settings to ensure that everything is protected.