How a personal NAS device exposed years of confidential financial sector data
Inhaltsübersicht
A single unsecured personal device. A decade’s worth of confidential contracts, bid documents, and internal information from financial and banking institutions.
No breach, no malware, just waiting for an attacker to find them.
This is what CybelAngel analysts discovered during a recent investigation. It is one of the clearest examples we have seen of a risk category most organizations are not equipped to address: data that is exposed through valued people, not attackers.
The exposure at a glance
| Quelle | Personal NAS device on a residential internet line, no authentication |
| Duration of data | More than ten years of accumulated documents |
| Band | Hundreds of confidential files |
| Affected sector | Financial institutions across a European payments ecosystem |
| Data types | Bid documents, contracts, pricing data, personal data |
| Root cause | Workstation contents archived by a departing employee |
| How it was found | A single keyword match during routine CybelAngel monitoring |
How CybelAngel detected the exposed NAS device
During routine open source monitoring, CybelAngel detected an exposed FTP server hosted on a personal network-attached storage (NAS) device — a consumer-grade file server connected to a residential internet line. The device had no authentication in place and was fully accessible from the open internet.
The owner had spent nearly a decade in a senior role, overseeing major payment procurement processes on behalf of a public financial institution. At the end of their employment, the contents of their workstation appear to have been copied to this personal device as a private archive.
The result: hundreds of accumulated confidential documents, spanning more than ten years, linked to several major financial institutions across a European payments ecosystem, sitting on an unsecured home server open to anyone who looked.
What data was exposed?
These hundreds of sensitive documents fell into several categories:
- Bid documents from public tenders exposing full technical offers, security assurance plans, and business continuity plans. In competitive markets a bid response is among the most sensitive documents an organization produces, revealing pricing strategy, technical architecture, and in some cases internally identified weaknesses.
- Active contract documentation containing operational documents, technical specifications, project dashboards, and internal communications from past and ongoing collaborations.
- Pricing data exposing detailed tariff documentation and commercial agreements.
- Personal data of various individuals, creating a whole host of opportunities for highly effective phishing or social engineering attacks.
Several of the documents carried explicit confidentiality markings and redistribution bans. None of that mattered once the device was reachable from the open internet.
Why personal devices are an invisible third-party risk
Misconfigured NAS devices are a common and known risk — our analysts have previously found 45 million medical images exposed on unprotected NAS servers. This is why organizations invest heavily in securing their own infrastructure with firewalls, endpoint controls, and data loss prevention tools. The internal perimeter has never been better defended.
But this exposure happened entirely outside of the IT team’s authority.
The data did not leave through a malfunction or weakness of the security perimeter, but through a trusted and valued person. Someone with legitimate and authorized access to sensitive files. Once that data left the organization’s environment, it became invisible to every security control the organization had in place.
98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years, according to research by SecurityScorecard and the Cyentia Institute. Whether that is through a third-party supplier, a legal team, or their own employees who retain copies of data on personal devices.
This is not uncommon behavior. Many people archive work they consider professionally significant on their personal devices. The problem is that once the data leaves the organization’s environment, it is invisible to your SOC teams.
This is third-party and supply chain risk in one of its least visible forms. Not a supplier’s system being compromised — but data flowing through a professional relationship, retained beyond employment, and left exposed on a consumer device.
Procurement data is a risk category of its own
The industry and role the employee held makes this exposure particularly acute.
When organizations submit bids for public tenders, they hand detailed technical and commercial information to a contracting authority. Bid responses reveal a great deal of sensitive information, including potentially live configuration of systems still running today.
Questionnaires and vendor audits address the systems your supplier operates. They don’t address the data that has left your organization through a procurement process years ago.
Under the Digital Operational Resilience Act (DORA), financial entities operating in the EU are now required to maintain ICT third-party risk management frameworks, including controls over data shared with external actors. Under the NIS2-Richtlinie, management bodies carry personal liability for supply chain risk failures. The exposure CybelAngel analysts identified was not only a cybersecurity risk for financial sector clients, but also represents a significant compliance concern.
FAQs
A network-attached storage (NAS) device is a personal or small-business file server connected to a home or office network. Many NAS devices are intentionally configured for remote access, allowing owners to reach their files from anywhere. When misconfigured or left without authentication, they become fully accessible from the open internet.
In most cases, it is not malicious. Employees working on sensitive projects frequently save copies of documents locally for convenience, and those local copies follow them when they change roles or leave an organization. In regulated environments like financial services or public procurement, this creates a long tail of sensitive data that exists entirely outside the organization’s control long after the relevant person has departed.
DORA requires financial entities operating in the EU to implement ICT third-party risk management frameworks covering the full lifecycle of data shared with external parties, including procurement counterparties and former contractors. Institutions are required to maintain inventories of critical third-party dependencies and conduct ongoing risk assessments.
CybelAngel's Prävention von Datenschutzverletzungen platform continuously monitors open, deep, and dark web sources for exposed data linked to our customers’ assets and keywords. When an exposed device is detected, our analysts examine the content and metadata to identify affected organizations, assess the sensitivity of the exposed material, and deliver actionable incident reports.
In this case, a single keyword linked to a client’s internal project was detected on this open NAS device. Upon manual investigation, our analysts discovered the server contained hundreds of sensitive and confidential files spanning a European payments ecosystem.
