Dozens of companies leaked sensitive data thanks to misconfigured Box accounts

Security researchers have found dozens of companies inadvertently leaking sensitive corporate and customer data because staff are sharing public links to files in their Box enterprise storage accounts that can easily be discovered.

The discoveries were made by Adversis, a cybersecurity firm, which found major tech companies and corporate giants had left data inadvertently exposed. Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found more than 90 companies with publicly accessible folders.

Not even Box’s own staff were immune from leaking data.

The company said while much of the data is legitimately public and Box advises users how to minimize risks, many employees may not know the sensitive data they share can be found by others.

Worse, some public folders were scraped and indexed by search engines, making the data found more easily.

In a blog post, Adversis said Box administrators should reconfigure the default access for shared links to “people in your company” to reduce accidental exposure of data to the public.

Adversis said it found passport photos, bank account and Social Security numbers, passwords, employee lists, financial data like invoices and receipts and customer data among the data found. The company contacted Box to warn of the larger exposures of sensitive data, but noted that there was little overall improvement six months after its initial disclosure.

“There is simply too much out there and not enough time to resolve each individually,” he said.

Adversis provided TechCrunch with a list of known exposed Box accounts. We contacted several of the big companies named, as well as those known to have highly sensitive data, including:

  • Amadeus, the flight reservation system maker, which left a folder full of documents and application files associated with Singapore Airlines. Earlier this year, researchers found flaws that made it easy to change reservations booked with Amadeus.
  • Apple had several folders exposed, containing what appeared to be non-sensitive internal data, such as logs and regional price lists.
  • Television network Discovery had more than a dozen folders listed, including database dumps of millions of customers names and email addresses. The folders also contained some demographic information and developer project files, including casting contracts and notes and tax documents.
  • Edelman, the global public relations firm, had an entire project proposal for working with the New York City mass transit division, including detailed proposal plans and more than a dozen resumes of potential staff for the project — including their names, email addresses, and phone numbers.
  • Nutrition giant Herbalife left several folders exposed containing files and spreadsheets on about 100,000 customers, including their names, email addresses and phone numbers.
  • Opportunity International, a nonprofit aimed at ending global poverty, exposed in a massive spreadsheet a list of donor names, addresses and amount given.
  • Schneider Electric left dozens of customer orders accessible to anyone, including sludge works and pump stations for several towns and cities. Each folder had an installation “sequence of operation” document, which included both default passwords and in some cases “backdoor” access passwords in case of forgotten passwords.
  • PointCare, a medical insurance coverage management software company, had thousands of patient names and insurance information exposed. Some of the data included the last four digits of Social Security numbers.
  • United Tissue Network, a whole-body donation nonprofit, exposed body donor information and personal information of donors in a vast spreadsheet, including the prices of body parts.

Box, which initially had no comment when we reached out, had several folders exposed. The company exposed signed non-disclosure agreements on their clients, including several U.S. schools, as well as performance metrics of its own staff, the researchers said.

Box spokesperson Denis Roy said in a statement: “We take our customers’ security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or ‘open’. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links.”

The cloud giant said it plans to reduce the unintended discovery of public files and folders.

Amadeus, Apple, Box, Discovery, Herbalife, Edelman and PointCare all reconfigured their enterprise accounts to prevent access to their leaking files after TechCrunch reached out.

Amadeus spokesperson Alba Redondo said the company decommissioned Box in October and blamed the exposure on an account that was “misconfigured in public mode,” which has now been corrected and external access to it is now closed. “We continue to investigate this issue and confirm there has been no unauthorized access of our system,” said the spokesperson, without explanation. “There is no evidence that confidential information or any information containing personal data was impacted by this issue,” the spokesperson added.

When we asked Amadeus how it concluded there was no improper access, another spokesperson, Ben Hunt, said: “We have the full audit trail for Box and access of these files — none of the files have been downloaded outside of either Amadeus or authorized customers.”

The spokesperson declined to explain its statement when told files were downloaded to verify their contents.

PointCare chief executive Everett Lebherz confirmed its leaking files had been “removed and Box settings adjusted.” Edelman’s global marketing chief Michael Bush said the company was “looking into this matter.”

Herbalife spokesperson Jennifer Butler said the company was “looking into it,” but we did not hear back after several follow-ups. (Butler declared her email “off the record,” which requires both parties agree to the terms in advance, but we are printing the reply as we were given no opportunity to reject the terms.)

When reached, an Apple spokesperson did not comment by the time of publication.

Discovery, Opportunity International, Schneider Electric and United Tissue Network did not return a request for comment.

Data “dumpster diving” is not a new hobby for the skilled, but it’s a necessary sub-industry to fix an emerging category of data breaches: leaking, public and exposed data that shouldn’t be. It’s a growing space that we predicted would grow as more security researchers look to find and report data leaks.

This year alone, we’ve reported data leaks at Dow Jones, Rubrik, NASA, AIESEC, Uber, the State Bank of India, two massive batches of Indian Aadhaar numbers, a huge leak of mortgage and loan data and several Chinese government surveillance systems.

Adversis has open-sourced and published its scanning tool.

Amun raises $4M to give stock-like buying options for crypto investors

Crypto represent a “border-less” asset that anyone can own, but actually getting hold of it isn’t easy for everyone. Amun, a company that wants to make buying crypto as easy as stock, has pulled in $4 million in funding to offer more established channels for crypto ownership.

The startup currently offers punters an ETP (exchange-traded product) on the Swiss Stock Exchange that pulls together five of the most popular crypto assets: Bitcoin, Ethereum, Bitcoin Cash, XRP and Litecoin. HODL — as it is called after “holding” crypto rather than selling it (LOL) — can be purchased just like any stock.

That five-crypto basket is just the start for Amun, which is developing ETPs for other crypto assets individually. The first one is for Bitcoin — ABTC — with others planned to come soon; you’d imagine the usual suspects such as Ethereum and co will follow. Indeed, Amun has licenses to the five crypto assets in HODL as well as EOS.

While the products are ETP and not covered by Collective Investment Schemes Act (CISA), they are protected in custody and by insurance. They are collateralized and backed by an identical amount of crypto assets.

Personally, I’ve been able to buy crypto — just base tokens like Bitcoin and Ethereum rather than company-specific ICO tokens — but it certainly is true that it takes some learning. While, speaking for me and likely many others, exchange-based products aren’t easier to me, it does appeal to more institutionally minded individuals or companies for whom holding an account with an exchange or a crypto wallet isn’t feasible. That’s the target that Amun has in mind, as well as outlier cases, too.

Amun CEO and co-founder Hany Rashwan told TechCrunch that growing up in Egypt, he saw the government ban Bitcoin despite the fact that it offered an alternative to the Egyptian pound, which saw its valuation tank massively in 2016. He believes that products like Amun allow anyone to take part in crypto even when they face local restrictions, as was the case in Egypt and other countries.

“We want to make investing in crypto as easy as buying a stock. Institutional investors around the world are looking for a secure, easy and regulated way of accessing the crypto asset class. Amun’s products do that at a low price in one of the most reputable financial hubs in the world,” Rashwan told TechCrunch.

Investors share his optimism and those who took part in this round include Boost VC founder Adam Draper — son of outspoken pro-Bitcoin VC Tim Draper — Graham Tuckwell, founder of ETFS Capital who built ETF products for gold, and Greg Kidd, co-founder of investment firm Hard Yaka. Four undisclosed family offices also took part.

One reason for their optimism is the fact that Amun is developing technology that could, in theory, be licensed out to allow others to develop their own ETFs.

“We invest a ton of resources in both our product development and underlying tech infrastructure. This allows us to come up with innovative but professional and safe ways of accessing the crypto asset class, as well as do all this on a tech platform that can be used by not just us, but any issuer that wishes to do the same as well,” Rashwan said.

“The world needs a company like Amun to make crypto as easy as buying a stock. Now that they were the first to do that, they can now provide the toolset and be the de facto platform for anyone else looking to take their crypto assets/securities to the public markets,” Draper added.

Still, just giving people access doesn’t guarantee returns — that’s on the crypto market itself.

Last year was a dud across the board in terms of pricing, as Bitcoin, for example, plummeted from a record high of nearly $20,000 at the end of 2017 to $3,930-ish at the time of writing. Plenty in the industry are optimistic that will change as genuine value comes out of blockchain technology.

HODL itself debuted at $15.64 last November; today it is at $12.83

Note: The author owns a small amount of cryptocurrency. Enough to gain an understanding, not enough to change a life.

Talent Garden raises €44M to expand in cities ignored by the WeWork-style spaces

Finding myself talking at a startup conference in Kosovo three years ago (as one does), I realized how close I was to Albania, a place which held some fascination for me. I managed to grab a lift with a friendly techie to Tirana, where they arranged for me to speak to the local tech community. That meetup was held in a small co-working space called Talent Garden. It gradually transpired that, while WeWork and other such co-working/offices spaces were concentrating on New York and London, Talent Garden had been busily populating southern and eastern Europe with a network of spaces crisscrossing the continent.

That strategy has now paid off with their desire to raise money from investors. Today, it announces that it has raised €44 million ($49.5 million) in a funding round led by Italian private equity firm Tamburi Investment Partners alongside Social Capital, Inadco Ventures and a range of European family offices. Tamburi previously led a €12 million funding round for Talent Garden in 2016.

The company, founded in Brescia, Italy in 2011, now plans to expand its co-working and education to places like Spain, Italy, Denmark, Austria and many more countries around Europe, focusing on second or third-tier cities where tech communities tend to grow fastest because costs are lower than in the major capitals.

Talent Garden’s chief executive and co-founder Davide Dattoli now plans to open 20 new international co-working campuses over the next five years and expand the scope of its “Innovation School” in digital training (as an analogy, think a combination of offices and General Assembly) and generating a “second tech ecosystem” around Europe outside London, Paris and Berlin. It’s also a licensee of the SingularityU Summit brand across Italy, Spain and Switzerland, for instance.

So far, it is now present in eight countries and has 23 active campuses with the Talent Garden Innovation School present in five of those countries.

There will, however, be a particular focus on Spain, with new locations in Madrid and Barcelona; France, with one opening planned in 2019; Italy, where it already has more than 10 campuses; and Austria, where it just recently opened.

In 2018, Talent Garden opened a new campus in Dublin as part of a strategic partnership with Dublin City University and also created a joint venture with Rainmaking Loft in Denmark, and has more than three locations across Copenhagen and is now looking for more locations in the Nordic region. Germany, Israel, Benelux and the CEE region are also within its sights. It won’t be ignoring San Francisco, however, with a kind of the “campus” project planned for next year.

Will things be different as Talent Garden tries to make incursions into bigger cities? For starters, WeWork is building from a very expensive base (major capitals) while TG isn’t. There are fewer revenues in these third-tier cities, sure, but geography has been downgraded for startup teams that are well-used to remote working. So TG could try to lock-in members who only need to “pop in” to the major capitals now and again, where TG has a “landing pad” for them to visit. This potentially creates an incursion into WeWork’s space directly from emerging markets and second/third-tier cities.

Starling Bank to open second UK office, creating up to 150 tech and support jobs in Southampton

Starling Bank, the U.K. challenger bank founded by banking veteran Anne Boden, is set to open a second U.K. office this summer, where it plans to recruit up to 50 software engineers and up to 100 customer service team members. The planned location is Southampton, on the south coast of England, and will be Starling’s first office outside of London.

In a call with Boden late on Friday, she told me the majority of its Southampton office will be new hires who will be helping to build out the challenger back’s business-banking product. In just less than a year, Starling has garnered more than 30,000 SME business-account sign-ups, adding to around 500,000 consumer current accounts.

The company plans to invest heavily in its business-banking division over the next few years, partly off the back of being awarded a £100 million grant from the Capability and Innovation Fund (CIF), which was set up by Royal Bank of Scotland to fulfill European state aid conditions arising from the bank’s £45 billion U.K. government bailout during the financial crisis.

Boden says that Southampton was chosen as Starling’s new office for its entrepreneurial spirit and high level of tech talent. She says the city is gaining a reputation as a “burgeoning tech hub” and has a growing skilled jobs market and good transport links, including to and from London.

More broadly, she wants Starling to “spread the fintech love” beyond its traditional base of London. There’s an increasing sense that U.K. tech is too London-centric and that the country’s fast-growing tech sector and the employment opportunities it represents should be more evenly distributed.

To that end, Southampton was recently identified in research conducted by global service company CBRE as a technology “Super Cluster” based on the level, concentration and growth of tech-sector employment in the city.

The city’s tech scene is also supported by the University of Southampton (where Tim Berners-Lee was previously Chair of Computer Science) and home to the Web Science Institute, where Dame Wendy Hall is based. Nearby is also “innovation hub” Southampton Science Park, spanning 72 acres and housing a mixture of commercial offices, laboratories and meeting and conferencing facilities.

Meanwhile, the news of a second Starling office comes a month after the challenger bank announced it had raised £75 million (~$97 million) in further funding. The new capital consisted of a £60 million Series C round led by Merian Global Investors, including Merian Chrysalis, with £15 million in follow-on funding from Starling’s existing backer and major shareholder Harald McPike. It brings total funding to date for the London-based challenger bank to £133 million, not including the more recent £100 million CIF grant.

Further forward, I’m told Starling is also committed to opening a second regional contact centre to support its growing customer base of SME businesses and individual current account holders. There was previously talk that Wales, the country from where Boden hails, could be chosen, although the bank is also eyeing up the North of England and the Midlands.