How Box.com allowed a complete stranger to delete all my files
Six months ago the cloud storage service gave control over my account to someone else, who then nuked it. Fortunately, my data survived.
Image credit: flickr/Jackie Tranter
Let me start by saying that I am a bit of a nut about cloud storage. The ability to store all my data online, automatically sync it, and access it from virtually any machine has changed my life in a number of ways, almost all of them good.
So I use services like Dropbox, SkyDrive, Google Drive, and Box.com religiously to move work between my desktop and laptop and/or collaborate with far flung colleagues. I never have to worry about having the latest version of a story to work on, or even what machine I need to bring with me. It's nice.
But I recently had a disturbing experience with one of these services - Box.com - that has caused me to re-evaluate my relationship with the cloud. Here's the story.
About a month ago, I needed to send some very large high-res photos to one of my editors. Emailing these things is a total pain - email servers tend to strip off attachments if they are too big, and keeping track of what images an editor does and doesn't have is a nightmare -- so I typically upload them to a Box.com folder and send an invitation to it. He can download the files at his leisure simply by clicking a link in the email, without having to install any software on his computer. He gets notified when I upload new files, I get notified whenever he downloads one, we're both happy.
But when I went to my Box.com account to create a new folder for this project, I discovered that my login didn't work. Well, I am always forgetting passwords, despite having installed 397 different password managers over my lifetime. So I tried to request a new one. Box told me that there was no account associated with that email address. OK, I thought, the account was three years old, I have at least 43 different email addresses, maybe I used one of the older ones. So I tried several other likely email addresses. None of them had a Box.com account associated with them.
I went back to my inbox and searched for emails from Box. The last one I'd gotten was dated last April, sent to the email address I tried the first time.
Something clearly was amiss. So I contacted Box.com support and asked them what the hell had happened to my account. Their response was chilling: They had no record of any account associated with my email address. I forwarded them the emails they had sent to that very address. No matter, they couldn't find it. I gave them my alternate email addresses. No dice. I gave them the email addresses of several people with whom I had shared files over the years, thinking maybe the account had been mistakenly assigned to them. Nope.
It was gone.
My account had vanished into thin air - and taken three years' worth of files with it.
Abort retry fail
Mind you, this was not a life- or work-threatening situation. These were not my day-to-day data files. They were almost exclusively product shots, many of which I had copies of, none of which I cared about in particular.
So the loss of my Box.com folders was not a personal tragedy. (Had I lost my Dropbox account, though, I would have been screwed.) Still, I had to know what happened. For a cloud storage service as well known as Box to simply lose an account is kind of a big deal.
I had exhausted my support options, so I put on my reporter's hat and politely asked Box.com corporate to look into this problem for me. At this point, I still held out hope that it was something stupid I had done that caused my files to be mislaid. Perhaps one of my various collaborators had sent a password reset and changed the email address associated with it. Perhaps I had hit my storage limit and missed the emails from Box.com prompting me to upgrade.
It took nearly three weeks to get the whole story, and it's a doozy.
My account, I was told, had been "rolled in" last April by a Box.com employee into an account controlled by a large public relations firm that I had never heard of. This is something Box does from time to time for its enterprise customers. Per a Box spokesperson:
Businesses with a large number of employees using Box as free users will often formalize their relationship with Box and "roll-in" their free users to a corporate account to get access to additional features (like unlimited storage or the admin console). Sometimes this includes external collaborators: people who don't work for the company, but have deep collaborative relationships with them.
My lovely and talented wife, with whom I collaborate on stories for Family Circle (where we used Box.com a lot), had apparently invited an employee of this PR firm to upload an image to one of our shared folders last April. That was enough to convince a Box.com employee that my wife was a "collaborator" with this firm, and to roll in my account without ever notifying her, me, or anyone else.
On May 2, an employee at the large PR firm saw my wife's name on the list of people with access to their Box account, didn't recognize it, and hit the delete button. Poof! My Box.com account was now history.
Tragedy of errors
Needless to say, this is not how it's supposed to work. To recap:
- Box handed control over my account to someone who was a complete stranger to me;
- They did it because of a one-time association with someone else, who happened to have access to some of my folders;
- They failed to notify me or any of my other collaborators that they were giving control of my account to someone else;
- They failed to confirm deletion of the account with the person who created it (i.e., me); and
- Box.com support was helpless to do anything about it or give me any information. Had I not pulled the journalist card, I'd still be scratching my head over what had happened.
Executives at Box claim that this kind of error has never happened before - and, to be fair, I could find nothing about anyone having a similar experience - and were deeply apologetic. They also said they are instituting several measures to ensure it does not happen again. Here's the official statement:
We're very sorry this happened to your account. It's not representative of the level of care that we strive to devote to our users' files, nor does it live up to the level of customer service that we should provide. We are putting in place several additional safeguards to ensure that this type of mistake does not happen again, including stricter restrictions on how existing accounts are assigned to enterprises, and user notification and approval of proposed account reassignments. We've also begun an exhaustive audit to uncover any other issues in our systems or policies that could lead to any similar mistakes in the future. We apologize for the inconvenience.
Flirting with disaster
Late last night, after I'd given up all hope of ever seeing my files again, I got an email from Box. Thanks to some no doubt heroic digital forensics, they had managed to locate and restore all my missing folders.
So no harm, no foul, right? Not exactly. For six months my data was in limbo. Anyone could have had access to it and done whatever they pleased with it. And while the loss of those files was not a big deal to me, had circumstances been altered slightly it could have been a very big deal. For example:
* Work files. Had I lost my day to day files (which I store on Dropbox), I would likely have been unable to complete assignments. At the very least I would have to go back and recreate my work, costing me time and money. Some of my contracts require me to hold onto my notes for up to four years after publication, in case of a law suit, so I would have been in breach.
* Financial records. I scan all my paychecks and store them (on SkyDrive, not Box.com - fortunately). Our tax form PDFs are all on some cloud storage service, either SkyDrive or Dropbox, as are all our receipts. These would have been in the hands of a total stranger - perfect fodder for identity theft. And if the IRS suddenly decided to audit us? We'd be at their mercy.
* Health records. We scan all our doctors bills and insurance insurance statements and store them in the cloud. So now we're talking about medical identity theft for us and our kids - a situation that's much harder to resolve than standard financial ID theft.
* Intellectual property. Any original works we have created -- novels, screenplays, inventions, business plans, Web designs, photographs, etc. - would also be in the hands of a stranger.
Like I said, the potential for disaster was enormous - you might even say porcine - especially in a world where cloud security and reliability are far from assured.
Both sides now
Bottom line: Your cloud data isn't as safe as you might think. A cloud company could get hacked or suddenly go belly up, taking your data with it. Unscrupulous admins could access your account and have their way with your data. And sometimes people just screw up and the companies don't have adequate procedures in place to detect and prevent it. (Hey, if it can happen to Box, it can happen to anybody.)
But there are things you can do to mitigate the risk. One is to always keep a recent data backup on hand. Another is to encrypt your sensitive files before you upload them. They're both more hassle, and they take some of the allure and ease out of cloud storage.
Me, I will continue to use the cloud, because really, what other choice do I have? Carry a thumb drive with me 24/7? Been there, done that. But I'm not nearly so blasé about it. I feel like I had a close call and survived without a scratch. Next time I might not be so lucky.
Got a question about social media or privacy? TY4NS blogger Dan Tynan may have the answer (and if not, he'll make something up). Follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to's, follow ITworld on Twitter and Facebook.
Now read this: