European cloud provider Nextcloud leaks 367K records, exposing staff and clients

https://cybernews.com/security/nextcloud-cloud-provider-data-leak/

Key takeaways:

Nextcloud exposed 367,000 internal records after a hosting misconfiguration left an Elasticsearch database publicly accessible.

The leaked files included invoices, contracts, employee details, emails, and setup scripts.

Nextcloud said it fixed the issue, notified the state data protection officer, and found no evidence of exploitation.

Exposed email data and scripts could help attackers craft phishing messages or probe client systems for weaknesses.

2 Likes

Nextcloud is claiming there is no inherent issue with their infrastructure and this leak was due to a misconfiguration.

However, the misconfiguration appears to have been the fault of Nextcloud which calls into question their competency.

Sadly that would not actually put them outside the norm for corporate cloud providers.

2 Likes

Development and day to day operations are almost certainly a different departments.

1 Like

Yeah and security was probably an afterthought.

How many more dataleaks we need before companies realize we need to encrypt everything and everything.

6 Likes

From the customer perspective it doesn’t matter what department of Nextcloud screwed up. The effect on their data is the same.

2 Likes

You can not E2EE the data that was saved in the DB and normal encryption would not protect against this leak.

A real Zero-Trust model (moving away the trust factor of devices in different networks) would be a more suitable protection for this kind of leak. However real Zero Trust also means Identity, Authentication and Authorization on L1, which is hard and expensive … really expensive.

1 Like

Until they actually start facing real consequences, I doubt anything will really happen.

6 Likes

How can companies determine how much security to invest in if they don’t have a security breach to size the impact of said work? /s

Such solutions need to be more ootb. If we can’t trust companies to get configurations right, I sure as shit wouldn’t expect them to get cryptography right.

2 Likes

Well what is worse? Company goes bankruptcy because they lost key versus company leaks your data.

This is why we need better enforcement on management persons to make them pick the encryption risk. If they risk personal liability on data leaks they surely would make a different choice.

1 Like