SECURITY Dropbox security - what should your business know?

Dropbox makes collaboration and sharing of documents easier but is the platform secure enough for our company to process confidential information with it? What to look for before deciding to upload company data to the Dropbox cloud?

The year 2012 was unlucky for Drew Houston and Arash Ferdowsi, the founders of Dropbox. Five years after launching their startup, in a period that is groundbreaking for many entrepreneurs, they got hacked, breach affecting security of over 68 million users – two-thirds of all the registered. The blow was painful and to this day it has made people ask how safe exactly storing data on Dropbox is. The case got really loud, however, only in 2016, when the stolen database was discovered by Leakbase and it turned out that decrypted login credentials of some users could be bought online. Pushed to the wall, Dropbox revealed the full scale of the hack, submitting itself to massive criticism from customers, as well as claims for damages. The question was also asked how was it even possible that the criminals were able to break into one of the most popular cloud-storing services?

It seems that even the largest network service providers, including business platforms, are not free from the pitfalls of today’s internet. Let us remind that the largest data leak in history – from Yahoo in 2013/14 – amounted to 3.5 billion (!) records, leaving Dropbox’s “result” far behind. Should companies start getting used to the fact that their data will never be completely secure in the cloud? Well, it depends. Since the ill-fated accident took place, Dropbox has done a lot to prevent a similar situation and improve the tarnished reputation. Does it pay off to conduct sensitive business activities via its popular cloud services?

Let’s start with the fact that as one of the leading storage providers, Dropbox remains high risk, at least hypothetically. This means that not only hackers, but also potentially rogue employees and, most importantly, external institutions may be interested in data companies store on the servers there. Confidential enterprise data can become valuable loot for each of these groups. How could data ever get into the wrong hands? To better understand the logic behind the actions of potential uninvited guests, we need to take a closer look at Dropbox’s very own way of working first.

• The application on the user’s device divides the sent file into blocks, each encrypted by a 256-bit algorithm (AES). Only the user (application) and the server are in possession of decryption keys.
• Files are sent from the application to the server using a secure connection in the SSL / TLS standard and 128-bit encryption. This protects the data from being intercepted. Even if someone manages to take it over (e.g. by performing the so-called Man-In-The-Middle Attack, i.e. by pretending to be the server / application), the files cannot be read because they were previously encrypted by the application and the key is stored in the Dropbox database.
• The file reaches the server, where it is decrypted for cataloging and encrypted again.
• The way back to the user’s application is again protected by means of an SSL / TLS connection.

In practice, this is a high class security. If – which is rather certain, but we cannot completely exclude it – we are not dealing with a dishonest Dropbox employee who theoretically has access to our data, the criminal would have to somehow intercept the encryption key or gain access to an employee account or key database to be able to read the encrypted file. This is also unlikely but not impossible. Suffice it to say that the infamous attack of 2013 was based on hacking into the account of an employee who, horror of horror, used the same login password in other places on the Internet, and criminals managed to guess it. However, such attacks do not happen every day, and the awareness of phishing is constantly being raised. It can therefore be assumed that from the technological side, files on Dropbox are safe, with the proviso that due to the purpose of Dropbox, which is storing and sharing prevalently non-critical information, the service does not have some key functions many dedicated solutions for comprehensively secure storage of classified information might have. For example, even if Dropbox gives you the option of blocking document modification, you can still download and modify confidential files on your hardware and then upload them to the server. We write more about the differences in the approach to security in the article “Safe alternative to Dropbox in Due Diligence”.

So, if we assume that it is technically difficult (if not next to impossible) to hack Dropbox while maintaining good user practice by all sides, there is still the issue of Dropbox’s privacy policy and compliance with government institutions’ regulations in the field of sharing customer data, which is still one of the most debated problem. It is mainly for this reason that Dropbox users might want to restrain from using it as a tool for sharing confidential company data. Even the best encryption methods and internal procedures do not prevent third parties from having access to company documents if the law allows it, and the widespread use of Dropbox increases this risk. In this context, it can be said that Dropbox does not provide full privacy of data stored on its servers. While our company can afford to share unsensitive documents and files using Dropbox, sharing and storing confidential information, such as financial statements, strategic plans, intellectual property on it, even when using Dropbox Business, leaves a potential privacy loophole. There is a chance data will be passed on without our consent or knowledge. According to Dropbox statistics, the number of search requests, warrants and subpoenas for users has more than doubled since 2016. Is it worth exposing company secrets to such conditions? Full confidentiality would only exist if we used our own file encryption methods before the files reach the Dropbox application folder on our device, which would significantly hinder the daily work with the system.

On the Dropbox website we read that the service works in 100% compliance with GDPR regulations. This is a big plus, but remember that Drew Houston’s company is headquartered in the USA and is also subject to the local laws. This means that it is obliged to cooperate with US government agencies as well as from outside this territory. Although Dropbox has a policy of informing users about any incoming requests for access to their data in accordance with Dropbox’s transparency policy, the American court often reserves the right to confidentiality of the investigation, which results in a complete lack of information about the purpose of which institutions use this data.

The popularity of Dropbox is then, in a sense, a trap for business owners. On the one hand, the system has high technological security (yet limited by its sheer purpose), on the other it remains in the crosshairs of hackers and government institutions. It is then up to the company whether to agree to expose their data to possible privacy violations. If you want to learn more about cloud security, go to the article “Cloud data storage and file security” where we take a closer look on how cloud providers protect sensitive business data.