(Image: file photo) Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers. The servers, hosted on Amazon's S3 storage service, contained hundreds of gigabytes of data for the company's enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.The data could be downloaded without a password by anyone who knew the servers' web addresses.Chris Vickery, director of cyber risk research at security firm UpGuard, found the data and privately told Accenture of the exposure in mid-September. The four servers were quietly secured the next day.According to Vickery, the four servers contained data that amounted to the "keys to the kingdom," he told ZDNet on a call last week. Each server contained a range of different types of credentials, including private signing keys that could be used to impersonate the company, and passwords -- some of which were stored in plaintext. Vickery said he also found Accenture's master keys for its Amazon Web Service's Key Management System (KMS), which if stolen could allow an attacker full control over the company's encrypted data stored on Amazon's servers.Kenneth White, a security expert, said the exposure of master keys is as "bad as it gets for a cloud service provider." "Whatever assets and infrastructure was being protected by this KMS master key must be assumed to be completely compromised," said White.One of the other servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture's access to Google's Cloud Platform and Microsoft's Azure, which could give an attacker further access to the company's cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture's internal corporate network. According to Vickery, the largest server contained over 137 gigabytes of data, which included large databases of credentials, some of which appeared to relate directly to Accenture customers. Vickery also found almost 40,000 passwords in one backup database -- the vast majority were stored in plaintext.When ZDNet first reached out to Accenture, the company downplayed the exposure, saying the data was less than half a percent of its cloud service, and that "none of our client's information was involved and there was no risk to any of our clients," citing the company's "multi-layered security model."When we challenged that assertion based on the information Vickery had seen, a spokesperson later said that an investigation was ongoing."We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system," the spokesperson said.Accenture isn't the first company to be stung by this kind of data exposure. In recent months, a spate of high-profile companies, including phone companies and voter records analytics firms, have exposed sensitive data because they allowed their Amazon cloud servers to sit open and unsecured.Vickery said that Accenture was likely using the Amazon servers to migrate data from development to production. While some of the data he found included test accounts, he said many of the credentials "would have led me to plenty of client data if I had been willing to take advantage of it." There was no way to know for sure as doing so would fall foul of US computer hacking laws, he said. "But if I have credentials for their production environments, it's pretty safe to say anyone using Accenture's Cloud Platform was at great risk," Vickery told ZDNet. UpGuard's Dan O'Sullivan, who blogged about the data discovery, said hackers could have done an "untold amount of financial damage" to Accenture and any of its cloud-using customers.We asked if anyone else had accessed the servers, the spokesperson said its logs showed access "by only a single non-authorized IP address which we traced back to a data security consultant who contacted us about about two weeks ago," referring to Vickery.We reached out to several companies whose credentials appeared in the data.None of the companies would speak on the record prior to publication. But one company said when they contacted Accenture, the company told them it was "not aware" of any breach or exposure.When asked, a spokesperson would not say if any Accenture customers had been informed of the data exposure. Contact me securely Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5. Read More
Startseite » Fortinet Service Provider Industry News » Accenture left a huge trove of sensitive data on exposed servers
IoT security is critical, hard, achievable: 3 best network practices
The rapid adoption and deployment of IoT devices is a significant contributor to digital transformation. To...
Securing 5G Networks: Service Provider Perspectives | Light Reading
The push to commercialize 5G networks is also sharpening the focus on the need to reconsider the security measures that service providers have implemented in their existing mobile networks. And...
Orange's Duriez: 5G Will Multiply Opportunities for SD-WAN
In addition to potentially increasing SD-WAN adoption, 5G could enable new use cases such as a network slice dedicated to SD-WAN.
Why Collaboration Is Critical for 5G Security | Light Reading
Joe Barrett, President of the Global mobile Suppliers Association (GSA), discusses the reasons for heightened security concerns, the importance of network-based security and the need for broad...
Half of organizations lack the security talent needed to remain secure
The global shortage of cybersecurity talent is having a detrimental effect on businesses with nearly 50 percent of organizations lacking the necessary talent to remain secure, according to new...
Securing 5G Networks - The Commercial & Technical Realities
The focus on business readiness at Mobile World Congress served to reinforce the importance of fully addressing the business of security requirements.
Microsoft: 5G's Killer App 'Is Staring Telcos in the Face' | Light Reading
Microsoft sees pervasive connectivity as the killer app for 5G - and Microsoft's golden ticket to becoming a major telco vendor.
CenturyLink garners authority to operate under GSA's EIS program
CenturyLink is laying claim to being the first supplier to receive authority to operate under the General Services Administration's Enterprise Infrastructure Solutions (EIS), a 15-year, $50...
AT&T's Pacewicz: 'We See the Cloud Fragmenting Again'
AT&T Business Chief Product Officer Roman Pacewicz describes how edge computing, 5G and network virtualization are required for next-generation applications that can deliver new business...
Report: SD-WAN makes the move into managed services bundles
IHS Markit's latest report provides further proof that SD-WAN is making the move out of the do-it-yourself model and into managed services. While the shift to managed services bundled with other...
Hyperscale capex spending booms in 2018 while telco spending remains flat
Full-year hyperscale operator capex spending increased by 43% last year to almost $120 billion but telco spending remained flat, according to a report.
Securing 5G Networks: Do You Want Automation With That Slice?
The scope of 5G security changes is so broad that it is a tall order to address all the resulting challenges in lockstep.
AT&T signs up for global cyber security alliance
On Wednesday, AT&T became the first North American telco to join the Global Telco Security Alliance, which launched last year. Etisalat, Singtel, SoftBank and Telefónica were the founding members...
Verizon warns enterprises about internal security threats
The top reasons for internal cyberthreats were financial gain, pure fun and espionage. And often, the internal hackers are not IT professionals or programmers.
Spectrum Enterprise launches SD-WAN using its NFV and edge platform
Spectrum Enterprise has gotten out of the starting gate with its SD-WAN service, which it's serving up from its SDN/NFV and edge compute platform. It's noteworthy that Spectrum Enterprise is...
Spectrum Rolls Out Its Nationwide Managed SD-WAN Service
The service uses Nokia’s Nuage Networks for SD-WAN, Fortinet for virtual security services, Netcracker for VNF management, and Cisco for services orchestration.
Charter Goes National With SD-WAN
Spectrum Enterprise unit has integrated its managed SD-WAN offering into its fiber network across the US.
MWC 2019: AT&T tests 5G and edge computing with Microsoft Azure | ZDNet
AT&T and Microsoft Azure are exploring a combination of their 5G, LTE, edge compute, and cloud services for IoT businesses.
AT&T: Enterprise Transformation Builds on Network Foundation
While networks alone won't deliver enterprise transformation, robust, software-defined networks are needed for enterprises to transform, says Sorabh Saxena, president, business operations for AT&T...
AT&T, Verizon gear up for SD-WAN in 5G
In separate announcements ahead of Mobile World Congress, Verizon and AT&T said they were expanding their SD-WAN offerings into 5G. Given that 5G deployments are in the infancy stage this year, it...
As Businesses Move Critical Data to Cloud, Security Risks Abound