(Image: file photo) Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers. The servers, hosted on Amazon's S3 storage service, contained hundreds of gigabytes of data for the company's enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.The data could be downloaded without a password by anyone who knew the servers' web addresses.Chris Vickery, director of cyber risk research at security firm UpGuard, found the data and privately told Accenture of the exposure in mid-September. The four servers were quietly secured the next day.According to Vickery, the four servers contained data that amounted to the "keys to the kingdom," he told ZDNet on a call last week. Each server contained a range of different types of credentials, including private signing keys that could be used to impersonate the company, and passwords -- some of which were stored in plaintext. Vickery said he also found Accenture's master keys for its Amazon Web Service's Key Management System (KMS), which if stolen could allow an attacker full control over the company's encrypted data stored on Amazon's servers.Kenneth White, a security expert, said the exposure of master keys is as "bad as it gets for a cloud service provider." "Whatever assets and infrastructure was being protected by this KMS master key must be assumed to be completely compromised," said White.One of the other servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture's access to Google's Cloud Platform and Microsoft's Azure, which could give an attacker further access to the company's cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture's internal corporate network. According to Vickery, the largest server contained over 137 gigabytes of data, which included large databases of credentials, some of which appeared to relate directly to Accenture customers. Vickery also found almost 40,000 passwords in one backup database -- the vast majority were stored in plaintext.When ZDNet first reached out to Accenture, the company downplayed the exposure, saying the data was less than half a percent of its cloud service, and that "none of our client's information was involved and there was no risk to any of our clients," citing the company's "multi-layered security model."When we challenged that assertion based on the information Vickery had seen, a spokesperson later said that an investigation was ongoing."We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system," the spokesperson said.Accenture isn't the first company to be stung by this kind of data exposure. In recent months, a spate of high-profile companies, including phone companies and voter records analytics firms, have exposed sensitive data because they allowed their Amazon cloud servers to sit open and unsecured.Vickery said that Accenture was likely using the Amazon servers to migrate data from development to production. While some of the data he found included test accounts, he said many of the credentials "would have led me to plenty of client data if I had been willing to take advantage of it." There was no way to know for sure as doing so would fall foul of US computer hacking laws, he said. "But if I have credentials for their production environments, it's pretty safe to say anyone using Accenture's Cloud Platform was at great risk," Vickery told ZDNet. UpGuard's Dan O'Sullivan, who blogged about the data discovery, said hackers could have done an "untold amount of financial damage" to Accenture and any of its cloud-using customers.We asked if anyone else had accessed the servers, the spokesperson said its logs showed access "by only a single non-authorized IP address which we traced back to a data security consultant who contacted us about about two weeks ago," referring to Vickery.We reached out to several companies whose credentials appeared in the data.None of the companies would speak on the record prior to publication. But one company said when they contacted Accenture, the company told them it was "not aware" of any breach or exposure.When asked, a spokesperson would not say if any Accenture customers had been informed of the data exposure. Contact me securely Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5. Read More
Home » Fortinet Service Provider Industry News » Accenture left a huge trove of sensitive data on exposed servers
IoT security is critical, hard, achievable: 3 best network practices
The rapid adoption and deployment of IoT devices is a significant contributor to digital transformation. To...
Most Recent Articles
Five tips for easing into virtualization
From physical to virtual IT departments are becoming virtualized in an effort to deliver more services with less financial resources. Migrating from legacy systems to virtual systems doesn’t...
Verizon to Use KSI Blockchain Technology Developed for Estonia
Verizon is planning to offer blockchain services for enterprises. Visit us at www.sdncentral.com for the complete article.
Frontier sets phased SD-WAN rollout, focuses on driving business solutions
Frontier admits that while it trails its larger telco counterparts CenturyLink and Verizon on the SD-WAN front, that will enable it to learn from others as it focuses on crafting a solution set...
IDG Contributor Network: 3 reasons why security automation is as cool as blockchain
In October 2017, Forrester published one of its most popular reports, The Top 10 Technology Trends To Watch: 2018 to 2020.According to the report, a “dawning trend” is that automated security...
Security vs. Speed: The Risk of Rushing to the Cloud
Companies overlook critical security steps as they move to adopt the latest cloud applications and services.
CenturyLink Builds on a Double Dose of Security Smarts
Top security exec says the combination gives a better end-to-end view of customer network traffic, with both network and on-prem visibility.
NIA to Tackle NFV's Ball & Chain: Interoperability
One of the major hurdles in the way of NFV deployments is system interoperability - still!! So the New IP Agency (NIA) has launched an NFV interoperability certification program to provide some...
Catching a CASB Key to Securing SaaS
Managed security service providers are joining enterprises in looking to cloud access security broker software as a critical addition.
Security Not Keeping Up with Cloud-First Business Strategies
40% of respondents in a new survey felt that their security solutions aren’t as flexible as the rest of their cloud initiatives.
The New IP Agency Announces Interoperability Certification for Next-Gen Virtualization | Light Reading
The New IP Agency is rallying industry leaders to drive the virtualization market forward through proven interoperability of multi-vendor solutions.
The moving target of IoT security
As the explosive growth of IoT tech continues; businesses, vendors and consumers all have to confront the issue that the world is more connected than ever before, with potentially gigantic...
Key takeaways from Vodafone’s IoT Barometer report
Vodafone’s fifth annual IoT Barometer survey shows an acceleration of large internet of things deployments and more IoT investment — and return on that investment. “Nearly all of the companies...
CenturyLink, Windstream say SD-WAN security is not a one-size-fits-all concept
CenturyLink and Windstream are offering business customers various options for SD-WAN security.
CenturyLink debuts adaptive security platform, plays to mobile, remote workforce
CenturyLink has responded to the mobile workforce and bring your own device trends with its new Adaptive Network Security Mobility service, making it the standard security product for the new...
6 reasons you’re failing to focus on your biggest IT security threats
Humans are funny creatures who don’t always react in their own best interests, even when faced with good, contrarian data they agree with. For example, most people are far more afraid of flying...
Verizon Joins ONAP
Verizon's participation is kind of amazing given that half the ONAP code came from AT&T. Visit us at www.sdncentral.com for the complete article.
Comcast to AWS: I Dub Thee Preferred Cloud
Comcast and AWS are going steady, but not exclusive.
AT&T’s Rupesh Chokshi on NFV/SDN-enabled Business Networking
AT&T has been aggressively transforming its core network with software-defined networking (SDN) and network function virtualization (NFV), gaining the ability to offer on-site infrastructure to...
Using MSSPs to Secure SD-WAN
To secure SD-WAN, MSSPs can address the inherent volatility of digitally transforming the remote edges of the network.
Why digital transformation is now on the CEO’s shoulders