Key Points:

• Sensitive data, including Personally Identifiable Information (PII), Protected Health Information (PHI), and Payment Card Information (PCI), is commonly held by companies worldwide. Storing such data in the cloud without proper management processes poses significant risks.
• Cloud-based collaboration tools like Google Workspace, Slack, and Microsoft OneDrive can be vulnerable to data leaks and breaches if access controls are not tightly managed and if data is improperly configured.
• Risks associated with storing sensitive data in the cloud include data breaches, insider threats, malware, lack of control, and potential loss of data visibility. Several companies, including Puma and Microsoft, have experienced cloud data leaks, emphasising the importance of security measures.

Almost every company in the world holds some sort of sensitive data - whether it’s their employee’s bank details, their customer’s car insurance information, or company secrets they need to keep private.

But storing that information in the cloud, without the right processes in place to manage it, is risky for your business. Taking steps to minimise the data you hold on to could be the right solution for you.

What is meant by sensitive data?

Sensitive data typically falls into three categories, PII, PHI and PCI:

- PII (Personally Identifiable Information): Data someone could be identified by, such as a person’s full name, home address or date of birth. Some types of information become PII when put in the right context. For instance, a postcode on its own may not be PII but if it appears beside someone’s street address, it will become PII.

- PHI (Protected Health Information): Information relating to someone’s health that should be kept confidential. Examples include medical records and details of medications. PHI will be held by healthcare organisations and hospitals who need to make sure they have policies in place to keep it protected.

- PCI (Payment Card Information): Details from someone’s payment card such as their account number or sort code.

Where can it be stored and secured?

Sensitive data can be stored on-premise (i.e. onsite) or in the cloud.

If your company uses cloud apps like Google Workspace, Slack, or Microsoft OneDrive, there could be plenty of sensitive data stored in them too.

Although these tools can be great for collaboration, employees can often overshare information in them, believing them to be completely secure. Unfortunately, that’s not always the case and they can still be vulnerable to data leaks or breaches.

How is data vulnerable in the cloud?

As data can be accessed from anywhere in the world when it’s stored in the cloud, individuals don’t need to be in the office to get hold of sensitive data, opening it up to more vulnerabilities.

If access controls aren’t tight enough, data can easily be accessed via an employee’s login. Operating a zero trust strategy can be a great way of ensuring that you have tight limits on who is accessing sensitive data.

Misconfiguration can also be an issue, as Sheree Lim, Head of Product at Metomic, explains:

“When it comes to setting up your cloud environment, you need to make sure you’re not rushing things for the sake of getting it in place quickly. Along the way, you might sacrifice key security features that can make your environment more susceptible to hacking or data leaks. It’s imperative that you configure the right access controls and put encryption in place, as well as continually monitoring your cloud environment to make sure everything is running smoothly.”

What are the risks?

There are a number of risks when it comes to storing sensitive data in the cloud:

1. Data breaches

Hackers who manage to access the cloud can leak data or sell it on, putting customers at risk of having their data stolen and their identity compromised.

2. Insider threat

Employees who have malicious intentions towards the company can leak sensitive data from the cloud. Without strong insider threat software protections in place, security professionals may not have visibility over anomalous behaviours that could alert them to this taking place.

3. Malware and viruses

If malware gets into your cloud environment, it can infect data stored in there. Not only that, it can also spread to any connected devices too.

4. Lack of control

A lack of visibility and full control over the data stored in your cloud means you can’t protect what you can’t see. The risk associated with this is that if your cloud environment is breached, hackers could gain access to data you don’t even know about.

Which companies have been impacted by cloud data leaks?

The sportswear brand, Puma, was hit by a ransomware attack in December 2021, which affected Kronos - one of its service providers. Hackers stole sensitive data on almost half the Puma workforce (over 6000 people in total) from the Kronos Private Cloud environment, and then encrypted the data, making it difficult for Puma employees to retrieve it.

Microsoft was also affected by a cloud data leak when they were hacked by Lapsus$ who accessed one employee’s account, and leaked partial source code for Bing, Bing Maps and Cortana. Luckily, the software giant was able to intercept and prevent the attack going further but the group’s social engineering techniques helped them to gather what Microsoft describes as ‘intimate’ information on the business, including employee details, team structures, and supply chain relationships.

What can businesses do to minimise & secure data being stored in the cloud?

There a few steps businesses can take to minimise data being stored in the cloud:

#1. Build a human firewall of employees who understand the risks associated with uploading data to the cloud, and the best ways to minimise it. Your people are one of your strongest assets, so training them up to effectively detect phishing scams or unusual behaviour can be a game-changer for your business.

#2. Strengthen your access controls to prevent people gaining access to sensitive data when it’s in the cloud. Activate multi-factor authentication to restrict access to those who don’t need it.

#3. Install a sensitive data discovery tool like Metomic to detect where your sensitive data lives. Once you know what you’re dealing with, you can take steps to minimise the amount of data in the cloud by redacting information once it’s been processed by the relevant employees.

#4. Do thorough research into the apps & cloud providers you’re using. For instance, do they have SOC 2 certification? Make sure they’re secured and have the right processes in place to guarantee they’re doing all they can to protect your data.

#5. Carry out regular risk assessments to ensure your sensitive data is being maintained at all times.

Minimise & secure your sensitive data in the cloud

Reducing the amount of data you hold in the cloud can minimise the financial and reputational impacts of a data breach. Using a DLP tool like Metomic to redact data could be the ideal solution for you.

Read Hati’s story to see how we helped him protect data across his company’s Google Workspace.

‍