Have You Exposed Sensitive Information on the Internet? Here’s How to Help Check
New York Presbyterian Hospital and Columbia University were fined a combined $4.8 million for accidentally posting 6,800 health records that were Google-searchable. The incident was uncovered when an individual found the records of their deceased partner on the Internet.
Don’t wait for someone to tell you that you’ve exposed your customer’s records online. Here’s a quick, super-easy way to help check if your organization has accidentally leaked sensitive records online. Malicious hackers have known about this for years now, and soon you will too.
Google Hacking 101
A quick Google tutorial is in order. There are two Google search “filters” that you need to know about.
- filetype: Tells Google to return only results with a certain file type. So a search with “filetype:pdf” tells Google to only return results that are PDF files.
- site: This filter tells Google to only return results for a certain Website. For example, “site:microsoft.com” tells Google to only return results that point to everything under microsoft.com.
That’s it. That’s all you need to know about Google hacking to get started. Now onto checking your organization.
What Sensitive Information Have You Left Exposed on the Internet?
Using our new Google skills, here’s how you check if your organization has accidentally exposed sensitive data to the Internet. In the examples, just replace “yoursite.com” with your actual domain name like “organizationname.com” or “company.com”, the “www” part is not needed.
Check for exposed PDF files
Use the search “filetype:pdf site:yourdomain.com”:
Check for exposed Word files
Use the search “filetype:doc site:yoursite.com” or “filetype:docx site:yoursite.com”.
Check for exposed Excel files
Use the search “filetype:xls site:yoursite.com” or “filetype:xlsx site:yoursite.com”
There you go, now you have a dead easy way to help check if your organization has accidentally exposed sensitive data publicly on the Internet. If your company uses other file extensions you can check those as well. However, remember that this is just one of many ways an organization can accidentally expose sensitive information the Internet. Depending on your organization, you may have other data exposure risks. So use this technique, but no one technique alone will be a silver bullet.
Well, I hope you found this Data Protection Friday article helpful. Again, if there’s a topic you want me to cover just drop us a note.
–Kevin
P.S. I will be presenting a free Webinar on June 4, 2014 on “Hacking Into Your Healthcare Systems: Top Signs You’re Prime for a Data Breach in 2014”. Register at https://attendee.gotowebinar.com/register/9060275238459733762. I hope you will come join.
Reference:
http://www.businessinsider.com/new-york-presbyterian-columbia-hipaa-settlement-2014-5