Accidentally Sharing CrashPlan Data

Thurs 19th Jan 2017

I'm always recommending friends take backups of their important files, so last night when one of them proudly told me that he had finally got round to setting himself up with CrashPlan, it was great news. More than that, he had bought the family package which allows for up to ten machines on the same account, and set all his family and in-laws up as well. On the surface this seems like a really good thing, a bunch of machines which were not previously backed up are now protected.

The only problem is, as well as backing files up, any machine on the account can also view file lists and then restore files for any other machine. This means parents can restore the kids files, which is good, but the in-laws can restore the parents files, which isn't as good. Imagine the following scenario:

Alice values her security, understands patching, runs appropriate security tools and knows not to click on bad links. Alice's father-in-law knows nothing about security, is still running XP and clicks anything sent to him.

Alice works on a very important business document on her home machine and the file gets backed up. Her father-in-law then gets phished and the attackers pull down all files from all attached CrashPlan machines.

Alice's sensitive document is now in the hands of criminals and all because of an act of Christmas generosity.

Even if you blame Alice for working on a work document on her home PC, what about a kid seeing dad's picture download directory or husband, Carl, seeing wife, Denise's, divorce plans?

The moral of this isn't to stop backing up your files but to think about who may get access to them once it's been done and consider any extra precautions which may be required. Enforced segmentation of work and home would have saved Alice and restricting what directories are backed up would have saved Bob.

Denise could have used encryption to prevent Carl from reading her private documents but, even with this, she has the problem of timing and listings. CrashPlan runs its backups periodically and keeps every version of the backed up file, so, unless she encrypts her documents as they are created, there is a chance an early version will get picked up and stored away for Carl to later retrieve. Similarly, even if she encrypts from the start, if the file is called "divorce evidence.docx", Carl will get a very good idea of its contents just from the file listings.

I've talked to CrashPlan about this and they confirmed that everyone who is set up on the account, by default, has full access to everything. This is to prevent abuse of the family plan by companies as, in their eyes, everyone on the plan should be trusted. They do have a way to add protections for individual machines but really don't recommend it. You can read all about it on their support site.

This isn't an attempt to knock CrashPlan, I use it as one of my backup solutions, but more a call to think about where your data could end up, regardless of what service you are using. Little acts of generosity could end up getting you into a whole world of problems.

And for my friend, he couldn't go back and remove the in-laws backups so he ended up buying himself a second account which he is going to think a bit harder about before sharing.