Japanese game developer Ateam has admitted that a simple misconfiguration of its Google Drive cloud storage service had been putting the personal information of users at risk for more than half a decade.
“On November 21, 2023, we discovered that personal information in files located on the cloud service Google Drive used by our group could possibly be viewed… [by] anyone who knew the exact URL link to access the files,” the company said in a statement.
Files created, stored, and shared between March 2017 and November 22, 2023 – a period of over six-and-a-half years – have now been secured, says the company.
Google Drive files shared inadvertently
Ateam says that a report “checking the accuracy of a security product being considered for implementation detected files that were at risk” highlighted the misconfiguration.
Data of nearly a million individuals had been caught up in the misconfiguration, including 925,728 customers, 6,909 business partners, 264 employment candidates, plus several thousand employees. Ateam, Ateam LifeDesign, Ateam Entertainment, Ateam Wellness, and Ateam CommerceTech were all affected.
An employee with access to the company’s Google Drive publicly sharing a link (inadvertently or maliciously) could have been catastrophic for Ateam, with search engines picking it up and indexing it. Threat actors (and genuine cybersecurity workers) often come across publicly exposed data this way.
The company started contacting affected parties on December 20 to notify them that their data had been exposed to those with access to the precise URL, however Ateam also acknowledged that it has no evidence of any unauthorized access or damages.
Although user data looks to be completely safe, the near miss has pushed Ateam into action. It has promised to strengthen monitoring through security tools, review file sharing settings and permissions, and increase the awareness of officers and employees about the handling of personal information.