(Image: file photo) Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers. The servers, hosted on Amazon's S3 storage service, contained hundreds of gigabytes of data for the company's enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.The data could be downloaded without a password by anyone who knew the servers' web addresses.Chris Vickery, director of cyber risk research at security firm UpGuard, found the data and privately told Accenture of the exposure in mid-September. The four servers were quietly secured the next day.According to Vickery, the four servers contained data that amounted to the "keys to the kingdom," he told ZDNet on a call last week. Each server contained a range of different types of credentials, including private signing keys that could be used to impersonate the company, and passwords -- some of which were stored in plaintext. Vickery said he also found Accenture's master keys for its Amazon Web Service's Key Management System (KMS), which if stolen could allow an attacker full control over the company's encrypted data stored on Amazon's servers.Kenneth White, a security expert, said the exposure of master keys is as "bad as it gets for a cloud service provider." "Whatever assets and infrastructure was being protected by this KMS master key must be assumed to be completely compromised," said White.One of the other servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture's access to Google's Cloud Platform and Microsoft's Azure, which could give an attacker further access to the company's cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture's internal corporate network. According to Vickery, the largest server contained over 137 gigabytes of data, which included large databases of credentials, some of which appeared to relate directly to Accenture customers. Vickery also found almost 40,000 passwords in one backup database -- the vast majority were stored in plaintext.When ZDNet first reached out to Accenture, the company downplayed the exposure, saying the data was less than half a percent of its cloud service, and that "none of our client's information was involved and there was no risk to any of our clients," citing the company's "multi-layered security model."When we challenged that assertion based on the information Vickery had seen, a spokesperson later said that an investigation was ongoing."We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system," the spokesperson said.Accenture isn't the first company to be stung by this kind of data exposure. In recent months, a spate of high-profile companies, including phone companies and voter records analytics firms, have exposed sensitive data because they allowed their Amazon cloud servers to sit open and unsecured.Vickery said that Accenture was likely using the Amazon servers to migrate data from development to production. While some of the data he found included test accounts, he said many of the credentials "would have led me to plenty of client data if I had been willing to take advantage of it." There was no way to know for sure as doing so would fall foul of US computer hacking laws, he said. "But if I have credentials for their production environments, it's pretty safe to say anyone using Accenture's Cloud Platform was at great risk," Vickery told ZDNet. UpGuard's Dan O'Sullivan, who blogged about the data discovery, said hackers could have done an "untold amount of financial damage" to Accenture and any of its cloud-using customers.We asked if anyone else had accessed the servers, the spokesperson said its logs showed access "by only a single non-authorized IP address which we traced back to a data security consultant who contacted us about about two weeks ago," referring to Vickery.We reached out to several companies whose credentials appeared in the data.None of the companies would speak on the record prior to publication. But one company said when they contacted Accenture, the company told them it was "not aware" of any breach or exposure.When asked, a spokesperson would not say if any Accenture customers had been informed of the data exposure. Contact me securely Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5. Read More
IoT security is critical, hard, achievable: 3 best network practices
The rapid adoption and deployment of IoT devices is a significant contributor to digital transformation. To...
Other content in this Stream
Configuring Active-Active Enterprise Firewall in Microsoft Azure
Achieving High Availability for a secure connection for cross-premises and hybrid Cloud deployment is essential and yet can be quite simple with the right product. Fortinet’s Martin Twombly walks...
The Enterprise Cloud Rush
Starting with the first commercial public cloud launch in 2006, it has become apparent to enterprise organizations that moving infrastructure out of their traditional data centers has tremendous...
On-Demand Cloud Security for Microsoft Azure
Cloud has gone mainstream and its growth is accelerating as new delivery, management, and security options become available.
Securing Microsoft Azure: A new Fortinet-Microsoft Cloud Security Workshop Series
For many organizations the value – speed, agility, productivity, and cost reduction, etc. – of moving to the public cloud is not only compelling, it is becoming mission critical....
Microsoft Azure Security Center & Fortinet: Scaling Security & Securing the Cloud
What do you get when you combine the world’s most widely deployed NGFW with the largest scalable infrastructure and then add-in unmatched granular visibility, control, threat prevention and a whole...
Microsoft and Fortinet Extend Partnership to Secure Mission-Critical Workloads in Azure Government Cloud
Fortinet and Microsoft today announced an extension of their partnership to protect the cloud environments of their joint government customers. The US Federal Government sets the world’s highest...
Delivering Personalized Medications to Patients Around the World
As a multinational medical company, this organization specializes in customized pharmaceutical products. Many of its patients are allergic to standard prescription ingredients, others require a....
Azure Security Center and Fortinet: Integrated Threat Management Solution for Cloud Workloads
Over the last 18-24 months the embrace of public cloud for critical workloads has transitioned from the “investigative” stage to “plan of record” for the majority of organizations...
Webinar: NOC Down SOC Barriers
Address today's IT security resource shortage, complex networks, and delayed response to threats. Find out how breaking down your NOC and SOC silos introduces amazing visibility and efficiencies.
Amazon GuardDuty and Automating Cloud Security with the Security Fabric
Fortinet is excited to announce the integration of the Security Fabric with Amazon GuardDuty to automate remediation and threat intelligence in Amazon Web Services. This integration accelerates...
Multi-Cloud Security Checklist: 8 Things CISOs Need to Remember
Cloud computing is an inherently dynamic and rapidly changing space. With the vast majority of organizations now adopting multi-cloud environments, the breadth and depth of the attack surface has...
Fortinet Cloud Security Demo
Watch this recorded demo to learn how Fortinet’s cloud security solutions extend the Fortinet Security Fabric to scale and segment the hybrid cloud.
Why Legacy Security Architectures are Inadequate in a Multi-Cloud World
Read the eBook learn more about the security gaps, compliance, and administration issues due to cloud. Plus find out what type of archticture can keep up with today's multi-cloud environments.
Securing VMWare Cloud on AWS
Configuring FortiGate Autoscaling
Fortinet's integrates with AWS Auto Scaling and Load Balancing (ELB), allowing the FortiGate virtual instances to scale dynamically yet independently per AWS workloads.
Getting Started with FortiAnalyzer On-Demand in AWS
Learn how to launch an on-demand based FortiAnalyzer AWS instance in Amazon cloud and use it for FortiGate logging.
Q&A: Securing the Move to the Cloud
In the past decade, cloud computing has become increasingly popular among enterprises, with Gartner Research projecting IT spending on public cloud-based infrastructure services to surpass...
Innovation Insights: Fortinet Extends the Security Fabric into the Cloud
To compete successfully, today’s organizations are having to develop new ways to connect users, devices, data, applications, and services together. To do this they are adopting a variety of...
Fortinet Secures Workloads on AWS
Fortinet is proud to be a Silver Sponsor of the 2017 Amazon Web Services (AWS) Summit being held April 5th and 6th in Sydney, Australia at the Hordern Pavilion & Royal Hall of Industries.
Fortinet Makes it Easier for Customers to Engage Fortinet and Its Partners in AWS Marketplace