Have You Exposed Sensitive Information on the Internet? Here’s How to Help Check

May 16, 2014
Kevin Lam
Tweet about this on TwitterShare on FacebookShare on LinkedInBuffer this pageShare on Google+Email this to someoneShare on RedditShare on StumbleUponDigg thisShare on Tumblr

Icon-Small-50@2xNew York Presbyterian Hospital and Columbia University were fined a combined $4.8 million for accidentally posting 6,800 health records that were Google-searchable. The incident was uncovered when an individual found the records of their deceased partner on the Internet.

Don’t wait for someone to tell you that you’ve exposed your customer’s records online. Here’s a quick, super-easy way to help check if your organization has accidentally leaked sensitive records online. Malicious hackers have known about this for years now, and soon you will too.

Google Hacking 101

A quick Google tutorial is in order. There are two Google search “filters” that you need to know about.

  • filetype: Tells Google to return only results with a certain file type. So a search with “filetype:pdf” tells Google to only return results that are PDF files.
  • site: This filter tells Google to only return results for a certain Website. For example, “site:microsoft.com” tells Google to only return results that point to everything under microsoft.com.

That’s it. That’s all you need to know about Google hacking to get started. Now onto checking your organization.

What Sensitive Information Have You Left Exposed on the Internet?

Using our new Google skills, here’s how you check if your organization has accidentally exposed sensitive data to the Internet. In the examples, just replace “yoursite.com” with your actual domain name like “organizationname.com” or “company.com”, the “www” part is not needed.

Check for exposed PDF files

Use the search “filetype:pdf site:yourdomain.com”:

google_searchpdfs

Check for exposed Word files

Use the search “filetype:doc site:yoursite.com” or “filetype:docx site:yoursite.com”.

google_searchdoc

Check for exposed Excel files

Use the search “filetype:xls site:yoursite.com” or “filetype:xlsx site:yoursite.com”

google_searchxls

There you go, now you have a dead easy way to help check if your organization has accidentally exposed sensitive data publicly on the Internet. If your company uses other file extensions you can check those as well. However, remember that this is just one of many ways an organization can accidentally expose sensitive information the Internet. Depending on your organization, you may have other data exposure risks. So use this technique, but no one technique alone will be a silver bullet.

Well, I hope you found this Data Protection Friday article helpful. Again, if there’s a topic you want me to cover just drop us a note.

 

Kevin Lam signature

–Kevin

P.S. I will be presenting a free Webinar on June 4, 2014 on “Hacking Into Your Healthcare Systems: Top Signs You’re Prime for a Data Breach in 2014”. Register at https://attendee.gotowebinar.com/register/9060275238459733762.  I hope you will come join.

Reference:

http://www.businessinsider.com/new-york-presbyterian-columbia-hipaa-settlement-2014-5

 

Tweet about this on TwitterShare on FacebookShare on LinkedInBuffer this pageShare on Google+Email this to someoneShare on RedditShare on StumbleUponDigg thisShare on Tumblr