When planning to store personal information on a cloud, do your homework first by identifying potential risks
Personal data from over 68 million users of Dropbox, the popular cloud storage company, has been posted for sale online. The details were stolen during a previously disclosed breach in 2012 but Dropbox discovered the sale only a few months ago when carrying out routine security checks.
The popularity of Dropbox for storage and file sharing has led to it becoming the cloud service most targeted by cyber criminals. The hack highlights the need for tight security, with the use of unique and complex passwords as well as two-step authentication.
Hacking is not the only concern for Dropbox users. The service also suffers from bugs (many businesses were affected in 2014 when it released an update with a bug that deleted user files) and from open doors, which leave open sensitive files that can be viewed.
The service offers server-side encryption for files but this is insufficient if there is a security breach. This is because Dropbox provides and controls your files’ encryption keys. It accesses them to provide a preview and this weakens security.
It has also changed its privacy terms to give itself the right to share collected data.
The following questions should be asked to identify potential risks of non-compliance or vulnerabilities that may fall outside the Data Protection Act:
- In which country is the cloud provider located?
- Is the provider infrastructure in the same country or elsewhere?
- Will the provider use companies whose infrastructure is outside those countries?
- Where will its data be physically located?
- Will any of the provider’s services be contracted out?
- How will data provided by the controller to the provider be collected, processed and transferred?
- What happens to data sent to the provider upon termination of the contract? and
- What happens to data sent to the provider when there is a dispute between the parties?
Marlon Johnson is managing director at JMS Secure Data