Security researchers discovered that Dropbox opens up certain file types. Dropbox explained the behavior is a function of a feature, but insidious or not it has compliance and data security implications. Dropbox is making headlines again, and not in a good way. Security researchers used a honeypot approach to discover that Dropbox opens some files once they’re uploaded. The Western North Carolina Infosec Community (WNC Infosec) used HoneyDocs–a Web-based service that “buzzes home” when a document is opened to alert you to possible compromise or data leaks. The researchers set out specifically to determine whether or not cloud storage services–like Dropbox–might be manipulating data in ways the user is unaware of. According to Dropbox, this is normal behavior, and nothing to be concerned about. Dropbox has automated backend processing to generate previews of certain file types. In a nutshell, the suspicious file activity is part of a feature that allows Dropbox users to view Word, PowerPoint, PDF, and text files directly from a Web browser without having to have a compatible program installed to open them. That’s convenient, and it’s all well and good, but it doesn’t really change the equation much in terms of data privacy. For businesses–with employees using personal Dropbox accounts to store and transfer sensitive company data–it may also be a security compliance issue. As it has done with past questions of privacy and data security, Dropbox assures users that only a small handful of Dropbox employees are authorized to access customer data. According to Dropbox policy, “We have strict policy and technical access controls that prohibit employee access except in these rare circumstances.” There is nothing concerning going on per se–at least for individuals. However, regardless of Dropbox’ good intentions the behavior of opening files to generate Web-based previews may not sit well with some compliance directives. For example, SOX (Sarbanes-Oxley), PCI-DSS (Payment Card Industry Data Security Standards), and HIPAA (Health Insurance Portability and Accountability Act) all have requirements in place that govern access to sensitive data. The fact that an unauthorized third-party is accessing that sensitive data is a problem. Ultimately, though, it comes back to the fact that Dropbox should not be used for business. Period. It is a consumer-oriented service, providing consumer-grade protection. Businesses should be using a more robust cloud data service like Box, or at the very least use Dropbox for Business, which provides more oversight and control of data for IT admins. Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe