Corporate consulting giant Accenture left bucketloads of sensitive corporate and client data exposed online for anyone to access. Luckily for them, it seems that UpGuard director of cyber risk research Chris Vickery was the only one who stumbled upon it.
Publicly accessible and downloadable data
He discovered the four unsecured AWS S3 storage buckets on September 17, and notified the company the next day. Accenture moved to secure the storage servers the day after.
“All four S3 buckets contain highly sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform. All were maintained by an account named ‘awsacp0175,’ a possible indication of the buckets’ origin,” UpGuard analyst Dan O’Sullivan shared.
The servers seemingly contained secret API data, authentication credentials, certificates, decryption keys, private signing keys, client credentials and passwords, data dumps, customer information, credentials for Accenture’s Google and Azure accounts, and more.
“Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage,” O’Sullivan noted.
“It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients.”
Accenture acknowledges the finding
Accenture confirmed the revelation to ZDNet, but first claimed that none of their clients’ information was involved and there was no risk to any of them.
Later they said that they are investigating the incident, but that “email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system.”
They also said that server logs revealed that they were accessed from a non-authorized IP address only one time, and that the IP address was traced back to Vickery.
The problem of unsecured cloud data servers
“It doesn’t take much for outsiders – malicious or not – to find unsecured data servers such as the four that housed Accenture’s data,” Bitglass CEO Rich Campagna commented for Help Net Security.
“There has been a run of simple and avoidable AWS misconfigurations that recently led Amazon to introduce ‘Macie’ to discover, classify and protect sensitive data. In most cases, the misconfigurations have been by well-meaning employees with excessive privilege and little security oversight.”
He said that organisations must leverage security technologies such as those provided by the public cloud providers, IDaaS providers, and CASBs, to gain visibility and control over cloud services like AWS.
“It could also be argued that any of these misconfigurations or accidental uploads could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks,” he added.