Cloud Backup Without Encryption: Thousands of Customer Records Exposed

The Scenario

Stefan Keller is the IT administrator at ProSecure Insurance Brokers Ltd. The company manages 3,200 clients, ranging from individuals to mid-sized businesses. Their database contains insurance contracts, claims reports, health questionnaires, income statements, and bank details — a treasure trove of data that would be devastating in the wrong hands.

Eight months ago, Stefan set up an automated backup system. Every evening at 11:00 PM, all databases and documents are backed up to cloud storage with a major provider. The system runs reliably, the backups are complete, and Stefan has nearly forgotten about it amid the daily workload.

What Stefan overlooked during setup: the cloud storage bucket was created with default settings. And the default setting was "publicly readable." For eight months — 243 nights — complete database dumps containing all customer data were uploaded to a publicly accessible storage location. No password. No encryption. No access restrictions.

The problem is not discovered internally. An IT security researcher who systematically scans for open cloud buckets finds the exposed data and contacts ProSecure, giving them 48 hours before publishing the findings. In the publicly accessible backup archive, the researcher finds: the complete client database with 3,200 records, 847 health questionnaires containing details about pre-existing medical conditions, over 12,000 scanned documents — passports, payslips, tax assessments — and the full email correspondence of the past two years.

Stefan's hands tremble as he grasps the scale of the breach. The next weeks will become the worst crisis in the company's history.

The Risks

Massive data exposure to the public: Open cloud buckets are systematically scanned by attackers, security researchers, and automated tools. Once an open bucket is discovered, the data spreads uncontrollably. It is impossible to determine who accessed the data during the eight months it was exposed.

Health data as a special category: The insurance clients' health questionnaires fall under Art. 9 GDPR — special categories of personal data. These carry heightened protection requirements. The disclosure of health data can have existential consequences for those affected: discrimination in credit applications, difficulties obtaining new insurance policies, or social stigmatization.

Large-scale identity theft: With passport copies, bank details, and income statements, criminals have everything they need for systematic identity fraud. With 3,200 affected clients, the potential for mass fraud is enormous.

Long-term exposure: The backup was updated without protection for eight months. Even if the current bucket is closed immediately, older copies of the data may have already been downloaded and archived by third parties. The data cannot be recalled.

Business-critical loss of trust: An insurance brokerage survives on client trust. If it becomes known that all client data was openly accessible on the internet for months, the business model is existentially threatened.

Legal Consequences

An open cloud backup containing personal data constitutes a severe violation of the GDPR with far-reaching legal implications.

Art. 32 GDPR — Security of processing: Storing personal data in a publicly accessible cloud bucket without encryption or access controls represents a flagrant violation of the obligation to implement appropriate technical and organizational measures.

Art. 9 GDPR — Processing of special categories: The unprotected storage of health data significantly aggravates the violation. Health data carries the highest protection requirements under the GDPR. A publicly accessible backup is the opposite of adequate protection.

Art. 33 and 34 GDPR — Notification obligations: The company must report the incident to the supervisory authority within 72 hours and individually notify all 3,200 affected clients. The logistical effort alone is substantial.

Art. 83(5) GDPR — Fine framework: For violations of processing principles and security requirements, fines of up to 20 million euros or 4% of annual global turnover may be imposed. Supervisory authorities have levied fines between 50,000 and 460,000 euros in comparable cases involving open cloud storage.

Civil mass litigation: With 3,200 affected individuals, the risk of a coordinated compensation claim is high. Courts are increasingly awarding non-material damages under Art. 82 GDPR — for health data, typically at the upper end of the scale.

How to Prevent This

An open cloud backup is an avoidable error. The right tools and processes eliminate this risk entirely.

1. Encryption as the default: Sensitive data must never be stored unencrypted in the cloud. SendMeSafe encrypts all files with AES-256 both in transit and at rest. An open bucket would be worthless because the data cannot be read without the key.

2. Secure document submission instead of local storage: Rather than collecting client documents in your own systems and then backing them up, clients can upload their documents directly through secure upload links into a protected environment. The documents are in a secure setting from the very beginning.

3. European server locations: SendMeSafe stores all data on servers in Europe. Unlike global cloud providers where the configuration of dozens of regions and buckets must be monitored, a specialized provider offers a clear and controllable data location.

4. Access control and audit trail: Every document access is logged. Suspicious access patterns are detected. Unlike a silent backup leak, you always know who is accessing what data.

5. Regular security reviews: A dedicated platform for secure document exchange drastically reduces the attack surface compared to self-configured cloud buckets. Less self-management means fewer misconfigurations.

Conclusion

Open cloud buckets remain one of the most common and simultaneously most preventable causes of massive data leaks. A single configuration error during setup can go undetected for months and affect thousands of customers. The consequences range from existentially threatening fines to devastating loss of trust.

The answer is not to train IT administrators better — although that matters — but to deploy systems where encryption and access control are not configuration options but the standard. SendMeSafe provides exactly that: encrypted data storage on European servers, secure transmission channels, and comprehensive access logs. Register now and start managing sensitive data securely.

Frequently Asked Questions

How do I find out if my cloud backups are publicly accessible?

Most cloud providers offer tools to check bucket permissions. Look for settings like "Public Access," "ACL," or "Bucket Policy" and ensure no public read access is configured. Additionally, external security scanners can automatically audit your cloud configuration. The safest approach is to avoid storing sensitive data in self-managed cloud buckets altogether and to use a specialized platform like SendMeSafe instead.

Is encrypting backups enough to be GDPR-compliant?

Encryption is an important building block but not sufficient on its own. The GDPR requires a comprehensive concept of technical and organizational measures that includes access control, regular reviews, documentation, and incident response plans. However, encryption significantly reduces risk in the event of a data leak and can be considered a mitigating factor in fine assessments.

Who is liable if an external cloud provider was misconfigured?

Fundamentally, the company that processes the personal data bears liability — the client organization, not the cloud provider. As the controller under Art. 4(7) GDPR, you carry the obligation to ensure the security of your data processing, even when using external services. A data processing agreement governs responsibilities but does not release you from your duty of care.

How long can an open cloud backup remain undetected?

Alarmingly long. Studies show that misconfigurations in cloud environments are discovered on average only after 120 to 200 days. During this period, data may have been downloaded by countless third parties without the company's knowledge. Automated monitoring tools and regular security audits are therefore indispensable.