People Have Uploaded Private Information To Microsoft's Docs.com Service – And It's Totally Public
Among the documents seen by BuzzFeed News were national insurance numbers and benefit claims and appeals, as well as details of legal disputes.
People have been uploading highly sensitive documents to a Microsoft cloud sharing service, seemingly unaware the material is public by default and so could be vulnerable to online criminals.
Docs.com is a free document-sharing platform that allows users with Microsoft 365 to upload any data they wish. People use the platform to share information between colleagues, friends, or family – but each upload is indexed by a search engine and publicly available.
Microsoft now warns users about their privacy in a pop-up before they upload documents. But internet security expert Graham Cluley, who tested the site's settings, told BuzzFeed News that having documents set to public rather than private by default was a "fundamental flaw".
Although the company had not done anything wrong "by the letter of the law", Cluley said, he warned that Microsoft was not fulfilling a basic duty of care to those using its platform.
The issue was first reported by US tech website Ars Technica after a number of Twitter users raised concerns earlier this week.
Despite concerns being logged with Microsoft by the website and some users, the search bar – and the ability to "search" and "find" – was still up and running.
Among the documents easily found by BuzzFeed News were filled national insurance forms clearly listing an individual's name, occupation, and NI number.
BuzzFeed was able to find lists of peoples' passwords, as well as their bank account details and medical histories. Some people had also uploaded applications for welfare support, such as employment and support allowance (ESA).
One ESA appeal, seen by BuzzFeed News, was a letter to the Department of Work and Pensions (DWP), written by Warren* on behalf of his partner last year.
Warren, from London, listed his partner's national insurance number, medical conditions, and medication, explained the circumstances of her appeal, and gave her doctor's name and surgery address. He also listed his own mobile phone number as a point of contact.
When contacted by BuzzFeed News, Warren said it was the first he had heard about the document – written in October last year – being public. It seems that he had missed the privacy warning telling users that their information would be publicly available.
He asked us to read the letter to him and his partner and double-checked her NI number as well as the date and address.
"I can't believe it...wow. That is so fucked up," he told BuzzFeed News. "I'm just really disgusted that something so private can be made so public. It's just...I mean, what else is public?"
Another ESA appeal, uploaded in August of last year and also seen by BuzzFeed News, listed a 24-year-old Scottish man's serious medical conditions – including bipolar disorder and depression – and the medication he was on.
Anyone interested could view his address, his family's address, their phone numbers, his national insurance number, and his doctor's surgery.
BuzzFeed News contacted the man's family to make them aware of the situation. They declined to comment, but expressed shock that anyone had been able to see their son's information, and said they did not know it was publicly available. The family has since removed the information from Docs.com.
In another appeal to the DWP, an apparently retired man from Scotland listed his address, bank details, and pension details.
Next to all of the documents opened and seen by BuzzFeed News was a hosting square for the comment board Disqus, effectively inviting anyone who came across the information – be it a legal conflict, welfare appeal, or doctor's note – to comment anonymously.
All of the documents viewed by BuzzFeed News were available to download.
Shortly after Microsoft was alerted to the problem by Ars Technica, the company said it had removed the search function on Saturday night. But as of today, the function allowing anyone to search through the data was still available.
When BuzzFeed News tested out the software, uploading a visa application in PDF format, we received a pop-up warning before hitting publish. The warning stated the information would become "publicly available on the web", and told us to "make sure it doesn't contain private information".
Users of the service have always been advised their documents would be public, BuzzFeed News understands, however, the new pop-up warning before you publish was added only last year.
Cluley, the computer security and internet privacy expert who tested the settings on Docs.com, told BuzzFeed News: "The potential is for things like identity theft, accounts to be broken into, a method by which online criminals can access the information."
He said the flaw was a "fundamental problem" of Microsoft's decision to make documents uploaded to the site public rather than private by default.
"I’m not suggesting that Microsoft was deliberately trying to pull the wool over people’s eyes but it made a bad decision in terms of privacy," he said.
"They haven’t done enough of a cleanup operation," he added. "It may be difficult for them to do it, of course, but this is a mess they have made."
In a statement, a Microsoft spokesperson told BuzzFeed News:
Docs.com lets customers showcase and share their documents with the world. As part of our commitment to protect customers, we're taking steps to help those who may have inadvertently published documents with sensitive information. Customers can review and update their settings by logging into their account at www.docs.com.
When asked whether the company intended to inform users their information was publicly searchable, a company spokesperson responded that they had "nothing further to add beyond the statement".
Users concerned about their data can change the settings by clicking on the public item, selecting "edit details", and then changing the settings to “limited”. Other people will then only be able to see the document if a link is sent directly to them.
*Not his real name.