robybret - Fotolia

Indian government leaked shadow data through Google Drive

Researchers at Elastica recently discovered an Indian government agency had its employees' email addresses and passwords exposed through Google Drive.

Security researchers have discovered an Indian government agency revealed sensitive information to the public via Google Drive, leading to concerns about the exposure of shadow data through the cloud.

Elastica, a cloud access security broker (CASB) based in San Jose, Calif., discovered that a government postal service department's employees had publicly shared a document in Google Drive that revealed the emails and passwords of the all of agency's employees. According to Elastica, shadow data is corporate or government information that is broadly or publicly shared by employees, either by accident or ignorance.

Elastica researcher and security architect Aditya Sood, who discovered the public leak, did not reveal the specific agency's name for security reasons. According to Sood, the password file was uploaded during some sort of migration that was happening inside the organization.

"Somebody uploaded a document on the Google Drive and shared it. Either by mistake, or for some other reason, they shared it publically," he said. "The real root cause [of the information leak] is unknown. It could be a potential malicious insider who shared the information online without the authorities having any information about it. There are chances that any employee accidentally shared it. In both cases, it is disastrous for the government agency."

Sood explained that sharing on the cloud is not well enough understood for employees to make the right decisions with the sharing options. "The big problem is that they don't understand how they have to share, when they have to share and even if they're sharing something -- and when they have to unshare it," he said. "I won't directly call it a breach. But this could lead to a breach."

The big problem is that they don't understand how they have to share, when they have to share and even if they're sharing something -- when they have to unshare it.
Aditya SoodElastica security architect and researcher

If attackers had gained the access to document and the employees' email accounts, they could initiate spear phishing attacks with ease, according to Sood; they could have also used the account credentials to gain access to critical government systems. Elastica said in a blog post on the findings that "as a general security principle," passwords should always be stored in an encrypted format to prevent such attacks.

Sood said Elastica notified the local Computer Emergency Response Team India (CERT-In) before posting its findings. CERT-In worked with two other agencies, whose names Sood would not reveal due to their "stealthy" working manner, who consulted with the government agency to patch the shadow data leak and prevent further exposures. Sood emphasized the need for addressing the complexities of sharing information using SaaS applications and shadow cloud services -- especially because cloud use is increasing day by day.

"Cloud technology is increasing day by day," Sood said. "People are using it, and it's going to exist for a long period of time."

Next Steps

Netskope's report on DLP policy violations highlight cloud storage security concerns

Dig Deeper on Public Cloud Computing Security