Intellectual Property Disaster: Box.com snafu deletes author’s files

Worth reading:  This account by a fan of cloud storage who is newly wise to the dangers of storing proprietary data in the cloud.

But the author, a journalist named Dan Tynan, wasn’t sufficiently hardened to suit Habeas Hard Drive.  After sharing how some of his work was lost when another Box.com customer was given inadvertent authority to delete his account, Tynan reveals that he still uses cloud storage for his family’s medical and financial records – and even names specific providers.

In other words, “Please rob me.”

Tynan is to be commended, though, for raising the red flag about cloud security. Habeas Hard Drive suggests the following lessons can be learned from Tynan’s story:

Lesson #1:  Keep a log of “invitations” to file access

After a weeks-long investigation, Tynan learned that his wife, with whom he sometimes collaborates, had invited a public relations company to access files in the Box.com account she and Tynan share.  Confusion occurred over the identity of the PR company’s external collaborators, and the Tynan account was deleted by someone he never met – an employee at the PR firm.

Habeas Hard Drive would suggest keeping an internal log any time an outside entity is invited to access files in a collaborative environment.  A spreadsheet or a simple database entry can indicate the date, who was invited by whom, and the purpose for the access.

This might have shortened the time necessary to figure out what happened.  It would have given Box.com support staff a place to start looking for events that could have triggered the deletion.

It would also allow the Tynans to start contacting people quickly, to find out what happened to their intellectual property.

Lesson #2  Don’t use free services for sensitive or confidential data

Just as we recommend ditching free or consumer grade webmail email in favor of secure, enterprise-level service, we also warn against free or low-cost, consumer-grade cloud service.

If you want to store confidential data or valuable intellectual property in the cloud, pay for secure service.  Examples include services with added security features like Covisint, which uses two-factor authentication, and Accellion which encrypts data both while in transit, and as it sits on servers. Sources tell Habeas Hard Drive that Accellion will soon add two-factor authentication.

Lesson #3  Service providers should follow Box.com’s example

 Tynan’s story includes Box.com’s response once the company learned that his account had been deleted by a complete stranger.  Management did the following:  1- apologized; 2- took responsibility for the event; 3- changed company policies to prevent similar mishaps in the future; 4- forensically recovered Tynan’s files.

Granted, Tynan is a tech writer who has the power to damage the company in ways ordinary users can’t.  But after many bad experiences trying to report security flaws to unresponsive companies. Habeas Hard Drive salutes Box.com’s response.

by Ira Victor @ira_victor , and Samantha Stone

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s