"Its not our fault that [your company here] stored all of these documents and sensitive information in the cloud and had easy-to-guess passwords and recovery questions."
The missing company name above is Twitter. Could it have been you?
The statement came from Michael Arrington, part of his explanation today as to why TechCrunch is publishing internal documents stolen from Twitter. TechCrunch obtained the documents from a thief who broke into personal accounts of Twitter employees - including CEO Evan Williams. The data was stored in the cloud.
No doubt Williams regrets that he ever trusted the cloud with his company's data. Twitter's experience points up both the dangers of mixing personal and professional business when using cloud-based services and how inadequate security provisions may be for data stored in the cloud.
This morning, and with much fanfare, TechCrunch published the first installment of highlights from its precious cache of 310 stolen internal Twitter documents. The documents were a gift from a person identifying himself only as "Hacker Croll." He obtained the data from Williams' and other employees' online personal accounts, including Gmail accounts. The hacker claims to have obtained the passwords by taking advantage of the password recovery procedures associated with those services.
The documents stolen ranged from the simply embarassing, such as plans for a reality TV show called Final Tweet, to more sensitive data, such as floor plans, financial projections and even access codes and passwords.
Pushing sensitive data outside of the corporate firewall is never a good idea unless that data is protected to the same exacting standards you would use internally. Even then it won't have the same legal protections afforded to data stored on premise. But the big problem is that these services, particularly those designed for consumers, don't always provide that same level of security for data stored in the cloud.
Dedicated cloud storage services commonly offer encryption both for data at rest and in transit. But if your employees are using something like Google Docs or Gmail, the protections are much more limited. What's worse, when those are personal accounts you may not even know that the data is out there in the first place.
Employees may be using personal Google Docs accounts for ad-hoc collaboration. Or if they don't like the search cababilities Exchange Server offers perhaps they're forwarding copies of everything to a personal Gmail account for faster indexing and searching.
So have policies in place regarding personal accounts, audit for compliance, and perform due diligence on the sanctioned services your employees do use that store business data in the cloud. Otherwise, you could be next.