Dropbox makes collaboration and sharing of documents easier but is the platform secure enough for our company to process confidential information with it? What to look for before deciding to upload company data to the Dropbox cloud?
The year 2012 was unlucky for Drew Houston and Arash Ferdowsi, the founders of Dropbox. Five years after launching their startup, in a period that is groundbreaking for many entrepreneurs, they got hacked, breach affecting security of over 68 million users – two-thirds of all the registered. The blow was painful and to this day it has made people ask how safe exactly storing data on Dropbox is. The case got really loud, however, only in 2016, when the stolen database was discovered by Leakbase and it turned out that decrypted login credentials of some users could be bought online. Pushed to the wall, Dropbox revealed the full scale of the hack, submitting itself to massive criticism from customers, as well as claims for damages. The question was also asked how was it even possible that the criminals were able to break into one of the most popular cloud-storing services?
"Technically" safe Dropbox - the curse of popularity
It seems that even the largest network service providers, including business platforms, are not free from the pitfalls of today’s internet. Let us remind that the largest data leak in history – from Yahoo in 2013/14 – amounted to 3.5 billion (!) records, leaving Dropbox’s “result” far behind. Should companies start getting used to the fact that their data will never be completely secure in the cloud? Well, it depends. Since the ill-fated accident took place, Dropbox has done a lot to prevent a similar situation and improve the tarnished reputation. Does it pay off to conduct sensitive business activities via its popular cloud services?
Let’s start with the fact that as one of the leading storage providers, Dropbox remains high risk, at least hypothetically. This means that not only hackers, but also potentially rogue employees and, most importantly, external institutions may be interested in data companies store on the servers there. Confidential enterprise data can become valuable loot for each of these groups. How could data ever get into the wrong hands? To better understand the logic behind the actions of potential uninvited guests, we need to take a closer look at Dropbox’s very own way of working first.
Data in Dropbox is transferred according to the following scheme:
- The application on the user’s device divides the sent file into blocks, each encrypted by a 256-bit algorithm (AES). Only the user (application) and the server are in possession of decryption keys.
- Files are sent from the application to the server using a secure connection in the SSL / TLS standard and 128-bit encryption. This protects the data from being intercepted. Even if someone manages to take it over (e.g. by performing the so-called Man-In-The-Middle Attack, i.e. by pretending to be the server / application), the files cannot be read because they were previously encrypted by the application and the key is stored in the Dropbox database.
- The file reaches the server, where it is decrypted for cataloging and encrypted again.
- The way back to the user’s application is again protected by means of an SSL / TLS connection.
In practice, this is a high class security. If – which is rather certain, but we cannot completely exclude it – we are not dealing with a dishonest Dropbox employee who theoretically has access to our data, the criminal would have to somehow intercept the encryption key or gain access to an employee account or key database to be able to read the encrypted file. This is also unlikely but not impossible. Suffice it to say that the infamous attack of 2013 was based on hacking into the account of an employee who, horror of horror, used the same login password in other places on the Internet, and criminals managed to guess it. However, such attacks do not happen every day, and the awareness of phishing is constantly being raised. It can therefore be assumed that from the technological side, files on Dropbox are safe, with the proviso that due to the purpose of Dropbox, which is storing and sharing prevalently non-critical information, the service does not have some key functions many dedicated solutions for comprehensively secure storage of classified information might have. For example, even if Dropbox gives you the option of blocking document modification, you can still download and modify confidential files on your hardware and then upload them to the server. We write more about the differences in the approach to security in the article “Safe alternative to Dropbox in Due Diligence”.
Dropbox security vs American legislation
So, if we assume that it is technically difficult (if not next to impossible) to hack Dropbox while maintaining good user practice by all sides, there is still the issue of Dropbox’s privacy policy and compliance with government institutions’ regulations in the field of sharing customer data, which is still one of the most debated problem. It is mainly for this reason that Dropbox users might want to restrain from using it as a tool for sharing confidential company data. Even the best encryption methods and internal procedures do not prevent third parties from having access to company documents if the law allows it, and the widespread use of Dropbox increases this risk. In this context, it can be said that Dropbox does not provide full privacy of data stored on its servers. While our company can afford to share unsensitive documents and files using Dropbox, sharing and storing confidential information, such as financial statements, strategic plans, intellectual property on it, even when using Dropbox Business, leaves a potential privacy loophole. There is a chance data will be passed on without our consent or knowledge. According to Dropbox statistics, the number of search requests, warrants and subpoenas for users has more than doubled since 2016. Is it worth exposing company secrets to such conditions? Full confidentiality would only exist if we used our own file encryption methods before the files reach the Dropbox application folder on our device, which would significantly hinder the daily work with the system.
Dropbox privacy policy. What else do we need to know?
On the Dropbox website we read that the service works in 100% compliance with GDPR regulations. This is a big plus, but remember that Drew Houston’s company is headquartered in the USA and is also subject to the local laws. This means that it is obliged to cooperate with US government agencies as well as from outside this territory. Although Dropbox has a policy of informing users about any incoming requests for access to their data in accordance with Dropbox’s transparency policy, the American court often reserves the right to confidentiality of the investigation, which results in a complete lack of information about the purpose of which institutions use this data.
The popularity of Dropbox is then, in a sense, a trap for business owners. On the one hand, the system has high technological security (yet limited by its sheer purpose), on the other it remains in the crosshairs of hackers and government institutions. It is then up to the company whether to agree to expose their data to possible privacy violations. If you want to learn more about cloud security, go to the article “Cloud data storage and file security” where we take a closer look on how cloud providers protect sensitive business data.
Did you like the article?
How many heads, so many ideas. That's why each of us contributes to making the content on our blog attractive and valuable for you. Discover a source of knowledge and inspiration for your business with Fordata.
Do you want to exchange knowledge or ask a question?
Write to me : #FORDATAteam page opens in new window
Try out the most security way of sharing confidential files.
TEST FREE Test is free for 14 days-
01 . Safe alternative to Dropbox in Due Diligence
Why should I pay for VDR when I can use Dropbox?’ – our clients ask this question sometimes. Yet the answer is not that straight…
26.01.2024
-
02 . Can Microsoft One Drive or Google Drive replace VDR?
Can Microsoft’s and Google’s Drive replace VDR? Popular storage clouds are convenient but can they provide the same level of security?
29.12.2023
-
03 . VDR in due diligence process
M&As are a permanent element of the economic world. Their goal is to achieve strategic and financial benefits by expanding markets, diversifying products and production processes.
27.05.2023
-
04 . Cloud data encryption - what to know before choosing a provider?
Technically and practically speaking, all popular cloud-based tools are securely encrypted. In fact, this means that we do not have to worry about the problem of data encryption…
22.08.2022
-
05 . Cybersecurity - what should companies pay attention to?
Entrepreneurs today look at remote work without fear, although many could not imagine effective work outside the office earlier this year. The pandemic proved that…
30.09.2020
-
06 . Flexible office - how to respond to new needs?
Companies have returned to offices with new needs. Entrepreneurs are starting to look for flexible rental models thanks…
24.08.2020
-
07 . Are your email attachments safe?
The modern office cannot function without email. According to the Radicati group, a statistical employee receives 121 messages per…
02.03.2020
-
08 . How to black out text in a PDF document correctly?
Document redaction has many faces – it may turn out that overwriting of the text in our document, which at first glance looks…
27.02.2020
-
09 . Safe cloud and the user - a marriage of convenience
According to a report on cloud computing prepared by McAfee, up to 87% of the companies surveyed believe that…
03.02.2020
-
10 . Rules of Safety Policy in FORDATA VDR
The FORDATA team is aware that even well-secured infrastructure has no chance against any infection resulting from human error.
31.10.2019
-
11 . Fake software aggregators – how to identify them?
Fake software aggregators and Virtual Data Room industry. See how developers try to deceive their customers with fake software comparison websites.
14.08.2019
-
12 . Cloud Data Storage And File Security
The internet has become a common thing in companies’ lives. The enormity of dedicated services, fast transfers and increasing mobility…
31.07.2019
-
13 . FORDATA wins the 2019 Premium Usability and Rising Star Award
FORDATA has earned the prestigious 2019 Premium Usability and Rising Star Award from FinancesOnline, a popular B2B software…
30.04.2019
-
14 . Due Diligence audit using Virtual Data Room - security in your company
The process of sharing confidential information can be greatly improved by using Virtual Data Room. Preparing for an audit?
14.01.2019
-
15 . What is electronic data repository?
What is electronic data repository and why to use it? Maybe you already do? Read about the features and advatnages of a good online repository.
04.12.2018
-
16 . FORDATA recognized with 2 IT Security Software Awards!
FORDATA got Two Awards through a renowned organization FinancesOnline, a fastest growing independent review platform.
01.02.2018
-
17 . Virtual Data Room: Everything you need to know
What is a virtual data room? What benefits can we achieve by using the system in merger and acquisition transactions?
25.10.2017
-
18 . GPG standard - a word on encrypting confidential data
Some users want it 101% safe. If the files we share via cloud services really need that extra layer of protection, encrypting them with a GPG standard might be a good idea.
13.07.2016
-
19 . How can we help you with Due Diligence?
Time plays a major role in M&A transactions. Even the smallest improvement that saves time needed to prepare and perform Due Diligence…
10.03.2014