Microsoft One Drive for Business might not be storing your data as securely as you might hope

(Image credit: Shutterstock - monticello)

OCR and image recognition data are being stored insecurely in OneDrive for Business, expert claims
Locally stored data is putting companies at risk of leaks
Hybrid working amplifies the security challenges

Security expert Brian Maloney has criticized Microsoft for storing OneDrive for Business files insecurely on users’ devices.

He claims the popular cloud storage tool allegedly stores data obtained from image OCR in an unsecured database on account holders’ PCs, putting them at risk of data exfiltration.

Although there are benefits to storing data locally, it can pose security concerns if the storage is inadequately protected, Maloney has claimed.

OneDrive for Business storing files locally, but insecurely

Microsoft, together with other companies like Apple, uses OCR (optical character recognition) and image recognition to enhance search and other features.

In a series of X posts, Maloney wrote: “Just a heads up. M$ is OCRing all your images in OneDrive for business in an unsecured database on your desktop/laptop. Happy Friday. #DFIR.”

Because OCR is stored in plain text, attackers who are successful in obtaining access to the databases can acquire potentially sensitive information from unknowing victims.

vx-underground.org added to Maloney’s work on X, sharing: “Any image saved with OneDrive is stored locally in a SQLite file (for offline mode, or something).”

Although business-issued hardware typically involved additional layers of security, such as encrypted storage, biometric security, and access to company systems via protected networks such as VPNs, the rise of hybrid working now means that more workers are accessing their business accounts, including OneDrive for Business, from their own personal hardware, which might not have such strong protection.

TechRadar Pro has asked Microsoft to comment on its decision not to protect OCR databases, but we have not received an immediate response.

In the meantime, users should consider only enabling features that they intend to use in order to minimize risk. Employees should also be vigilant to attacks, including avoiding clicking on suspicious links and sharing credentials online.

We’ve rounded up the best OCR software around
Did you download something dodgy? Consider the best malware removal
Still keeping data in unlicensed Microsoft OneDrive? Act now or lose it forever

TOPICS

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!