[BreachExchange] Be careful not to keep your invoices where your competitors can find them

Audrey McNeil audrey at riskbasedsecurity.com
Mon Nov 21 19:11:47 EST 2016


http://www.pandasecurity.com/mediacenter/news/cybersecurity-invoices-
companies/

One of the most common and most sensitive documents that companies handle
on a daily basis is invoices. Issuing and receiving them is a fundamental
activity for every business, however, people are not always aware of how
important they are even after being paid or collected.

Together or individually, they can expose critical information that can be
very valuable to your competitors, such as customer lists, product and
service descriptions, prices and promotions, or details of key agreements.

However, these files are so common in organizations that they are often
treated carelessly or with a complete disregard for security by employees,
to the point of being sent via email in unencrypted formats, through
instant messaging applications, stored in virtual stores more or less
accessible to the public, in physical devices such as pen drives, etc. In
fact, it’s quite easy to overlook the importance of the information they
can provide to a third party.

Just do a couple of searches on Google and you’ll realize the extent of the
problem.     Search for such simple, obvious terms as ‘invoice euros vat
inc address tax number date total’ with a filter to show only PDF files,
and you’ll find an endless number of sensitive documents that are
accessible to the public without companies knowing.

Companies in the textile sector, integrated service companies, travel
agencies, etc. The list is too long, especially if you consider how easy it
is to protect invoices if you take the appropriate precautions.

First, these and other critical files should never be stored on
Internet-facing servers. However, as this can be difficult in the
day-to-day reality of the majority of companies, at least it should be
checked that those servers are not accessible to the public in such evident
places as Google.

In reality, the presence of these and other confidential files in the
popular search engine is almost always due to the wrong configuration of
corporate servers, or to the fact that these include directories that can
be easily crawled by Google’s bots.

Being aware of this and taking the necessary steps to prevent it is one of
those simple, effective protection measures that companies often forget
about. However, it is very important to understand that invoices contain
far more valuable information than may seem apparent at first glance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161121/6cfb5bf7/attachment.html>


More information about the BreachExchange mailing list