(Image: file photo) Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers. The servers, hosted on Amazon's S3 storage service, contained hundreds of gigabytes of data for the company's enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.The data could be downloaded without a password by anyone who knew the servers' web addresses.Chris Vickery, director of cyber risk research at security firm UpGuard, found the data and privately told Accenture of the exposure in mid-September. The four servers were quietly secured the next day.According to Vickery, the four servers contained data that amounted to the "keys to the kingdom," he told ZDNet on a call last week. Each server contained a range of different types of credentials, including private signing keys that could be used to impersonate the company, and passwords -- some of which were stored in plaintext. Vickery said he also found Accenture's master keys for its Amazon Web Service's Key Management System (KMS), which if stolen could allow an attacker full control over the company's encrypted data stored on Amazon's servers.Kenneth White, a security expert, said the exposure of master keys is as "bad as it gets for a cloud service provider." "Whatever assets and infrastructure was being protected by this KMS master key must be assumed to be completely compromised," said White.One of the other servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture's access to Google's Cloud Platform and Microsoft's Azure, which could give an attacker further access to the company's cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture's internal corporate network. According to Vickery, the largest server contained over 137 gigabytes of data, which included large databases of credentials, some of which appeared to relate directly to Accenture customers. Vickery also found almost 40,000 passwords in one backup database -- the vast majority were stored in plaintext.When ZDNet first reached out to Accenture, the company downplayed the exposure, saying the data was less than half a percent of its cloud service, and that "none of our client's information was involved and there was no risk to any of our clients," citing the company's "multi-layered security model."When we challenged that assertion based on the information Vickery had seen, a spokesperson later said that an investigation was ongoing."We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system," the spokesperson said.Accenture isn't the first company to be stung by this kind of data exposure. In recent months, a spate of high-profile companies, including phone companies and voter records analytics firms, have exposed sensitive data because they allowed their Amazon cloud servers to sit open and unsecured.Vickery said that Accenture was likely using the Amazon servers to migrate data from development to production. While some of the data he found included test accounts, he said many of the credentials "would have led me to plenty of client data if I had been willing to take advantage of it." There was no way to know for sure as doing so would fall foul of US computer hacking laws, he said. "But if I have credentials for their production environments, it's pretty safe to say anyone using Accenture's Cloud Platform was at great risk," Vickery told ZDNet. UpGuard's Dan O'Sullivan, who blogged about the data discovery, said hackers could have done an "untold amount of financial damage" to Accenture and any of its cloud-using customers.We asked if anyone else had accessed the servers, the spokesperson said its logs showed access "by only a single non-authorized IP address which we traced back to a data security consultant who contacted us about about two weeks ago," referring to Vickery.We reached out to several companies whose credentials appeared in the data.None of the companies would speak on the record prior to publication. But one company said when they contacted Accenture, the company told them it was "not aware" of any breach or exposure.When asked, a spokesperson would not say if any Accenture customers had been informed of the data exposure. Contact me securely Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5. Read More
IoT security is critical, hard, achievable: 3 best network practices
The rapid adoption and deployment of IoT devices is a significant contributor to digital transformation. To...
Other content in this Stream
Verizon: Lack of Interoperability, Consistency Slows Automation
Verizon executive Vickie Lonker thinks both vendors and network service providers can do a better job to move forward faster.
Microsoft introduces Azure Sphere to protect your IoT
It's a comprehensive system meant to secure some of the most vulnerable devices connected to the internet.
Verizon Closes the Loop on Virtual Services
New service bundles let customers more easily access virtual services to speed their own transformations, and will lead to self-service soon.
Fortinet and IBM: Working Together to Address Today’s Digital Transformation Challenges
To help organizations adapt to the new realities of the emerging digital marketplace and the related threats targeting digital businesses, IBM Security just announced that their X-Force Threat...
State of SDN and NFV — Hype or Reality?
SDN and NFV are a reality today, but is it the reality that the industry wanted? It's up to the SDN community to set realistic expectations and be candid about the challenges. Visit us at...
CenturyLink Increases Cybersecurity Capabilities Post-Level 3 Buy
Enhanced threat awareness feeds into CenturyLink's portfolio of security services, including it's cloud-based Adaptive Threat Intelligence offering, which includes enhancements such as the ability...
BrandPost: Bridging the Gap Between Network and Security Operations
Managing today’s increasingly distributed and complex networks is taxing even the best-funded IT teams. The ongoing requirement to adapt the network to the demands of the new digital marketplace...
Service Providers Have Work Ahead for SD-WAN Security | Light Reading
Communications service providers that are specialists in software-defined wide-area networking believe they're doing a good job on SD-WAN security but need to consider some enhancements to...
Verizon accelerates business' network virtualization journey with new network bundles
Verizon has taken another step to enable businesses to advance their virtualization plans with its new Virtual Network Services Solution Bundles, a set of tools and services it says can streamline...
Etisalat, Singtel, SoftBank and Telefónica become security superheroes
Etisalat, Singtel, SoftBank and Telefónica have teamed up to form the Global Cyber Security Alliance, patrolling the shadowy information highway to protect innocent punters from the evils of...
Verizon report: Ransomware top malware threat of 2017, moving into critical systems
Verizon released its Data Breach Investigations Report (DBIR) this morning, the massive, in-depth analysis of last year's security breaches, based on 53,000 security incidents from 67 contributing...
CenturyLink CTO: SDOs Crucial to Automation
Aamir Hussain joined MEF's Board of Directors and points to its LSO work and the API frameworks provided by TM Forum as important.
AT&T will let the market pick the SD-WAN vendor winners, losers, sees interop potential
AT&T certainly has plenty of SD-WAN experience, but admits that vendor solutions are far from equal.
BrandPost: Digital Business Requires Digital Security
Adapting to the new digital economy requires organizations to not just retool their networks, but in many cases, core business processes as well. The creation, exchange, and analysis of data –...
5G is a security risk right now – ENISA
The European Union Agency for Network and Information Security, ENISA, has released a research papers which highlights the security flaws of yesteryear are still a threat in the 5G world of tomorrow.
Amdocs Leverages ONAP to Win Microsoft as a Customer
Amdocs' leadership position in ONAP seems to have given it an entrée with a major public cloud provider. And an Amdocs exec says open source is an environment where you cannot disconnect technical...
AT&T Preps White Box Routers for 5G
AT&T looks to expand its white box router approach to macro sites and small cells for 5G.
The Blessing and Curse of Automation
As data becomes the new currency of the digital marketplace, one of the biggest security challenges organizations face is the number and kinds of endpoint devices that need access to the network....
ONF Operators Take Charge of Edge SDN
New strategic initiative led by eight major operators will spell out for vendors exactly how operators want new open networks to be built.
You Can’t Protect What You Can’t See