As of June 19, 2017 a report of sensitive information belonging to nearly 200 million US citizens was found on a public Amazon cloud service. The sensitive information contained names, birth-dates, home addresses, telephone numbers, and political views. This information was used by the Republican National Committee and was accidentally exposed by a marketing firm.

Although this information was on the service publicly and did not need authentication to gain access, the marketing firm stated that “…we do not believe that our systems have been hacked,". The way to access the information was through a provided link, but this is susceptible to phishing emails, hijacking accounts, or general user error. If this service was compromised it could take months to know the full details of who may have gained access, and if there was a breach. The information could have also been altered within the service itself, changing the values of the information, which is even harder to detect.

This example illustrates why making sure that the files we share use services that we know are secure. When using the City of Portland approved cloud service, OneDrive, ensure that you limit the number of people able to see the information. The Information Security best practice is to only give rights to those on a need-to-know basis. Only grant access to those who have a business need for the information you want to share.

For more information on how to use OneDrive, please read the “OneDrive for Business” section of the BTS Helpdesk portal: https://www.portlandoregon.gov/bts/68984

Authentication Definition: https://en.wikipedia.org/wiki/Authentication

Article: http://www.bbc.com/news/technology-40331215