(Image: file photo) Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers. The servers, hosted on Amazon's S3 storage service, contained hundreds of gigabytes of data for the company's enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.The data could be downloaded without a password by anyone who knew the servers' web addresses.Chris Vickery, director of cyber risk research at security firm UpGuard, found the data and privately told Accenture of the exposure in mid-September. The four servers were quietly secured the next day.According to Vickery, the four servers contained data that amounted to the "keys to the kingdom," he told ZDNet on a call last week. Each server contained a range of different types of credentials, including private signing keys that could be used to impersonate the company, and passwords -- some of which were stored in plaintext. Vickery said he also found Accenture's master keys for its Amazon Web Service's Key Management System (KMS), which if stolen could allow an attacker full control over the company's encrypted data stored on Amazon's servers.Kenneth White, a security expert, said the exposure of master keys is as "bad as it gets for a cloud service provider." "Whatever assets and infrastructure was being protected by this KMS master key must be assumed to be completely compromised," said White.One of the other servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture's access to Google's Cloud Platform and Microsoft's Azure, which could give an attacker further access to the company's cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture's internal corporate network. According to Vickery, the largest server contained over 137 gigabytes of data, which included large databases of credentials, some of which appeared to relate directly to Accenture customers. Vickery also found almost 40,000 passwords in one backup database -- the vast majority were stored in plaintext.When ZDNet first reached out to Accenture, the company downplayed the exposure, saying the data was less than half a percent of its cloud service, and that "none of our client's information was involved and there was no risk to any of our clients," citing the company's "multi-layered security model."When we challenged that assertion based on the information Vickery had seen, a spokesperson later said that an investigation was ongoing."We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system," the spokesperson said.Accenture isn't the first company to be stung by this kind of data exposure. In recent months, a spate of high-profile companies, including phone companies and voter records analytics firms, have exposed sensitive data because they allowed their Amazon cloud servers to sit open and unsecured.Vickery said that Accenture was likely using the Amazon servers to migrate data from development to production. While some of the data he found included test accounts, he said many of the credentials "would have led me to plenty of client data if I had been willing to take advantage of it." There was no way to know for sure as doing so would fall foul of US computer hacking laws, he said. "But if I have credentials for their production environments, it's pretty safe to say anyone using Accenture's Cloud Platform was at great risk," Vickery told ZDNet. UpGuard's Dan O'Sullivan, who blogged about the data discovery, said hackers could have done an "untold amount of financial damage" to Accenture and any of its cloud-using customers.We asked if anyone else had accessed the servers, the spokesperson said its logs showed access "by only a single non-authorized IP address which we traced back to a data security consultant who contacted us about about two weeks ago," referring to Vickery.We reached out to several companies whose credentials appeared in the data.None of the companies would speak on the record prior to publication. But one company said when they contacted Accenture, the company told them it was "not aware" of any breach or exposure.When asked, a spokesperson would not say if any Accenture customers had been informed of the data exposure. Contact me securely Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5. Read More
Home » Fortinet Service Provider Industry News » Accenture left a huge trove of sensitive data on exposed servers
IoT security is critical, hard, achievable: 3 best network practices
The rapid adoption and deployment of IoT devices is a significant contributor to digital transformation. To...
Most Recent Articles
Spanning the globe: CenturyLink goes worldwide with its SD-WAN service
Thanks in part to its deal to buy Level 3, CenturyLink has rolled out its SD-WAN service to more than 36 countries across the globe. CenturyLink's SD-WAN service has stretched its legs out of...
Orange Business Services tees up support for Amazon Web Services
Orange Business Services is forming strategic partnerships with cloud providers such as AWS to become a leader for multicloud services. Orange Business Services already has a similar deal in place...
TAG Cyber Annual: Automation, Analytics & Cloud Driving Improved Security Picture
Organization led by former AT&T security chief Ed Amoroso updates third volume of annual reports tracking cybersecurity trends.
Windstream Enterprise's SD-WAN service scores PCI DSS compliance
Windstream announced on Tuesday that its SD-WAN service has met the standard for the Payment Card Industry Data Security Standard (PCI DSS) Version 3.2 Compliance. The PCI DSS compliance was...
Windstream Adds PCI Compliance to SD-WAN
Service provider says the independent compliance is important not just to its retail segment customers but also many other market segments.
IDC report: VNF revenues to hit $16.4B by 2022
After a somewhat rocky start, virtual network functions are poised to grow to $16.4 billion in revenues by 2022, according to an IDC report. Worldwide revenue for the VNF market in 2017 checked in...
Security, Network Capacity Issues Drive Need for IoT Automation
Communications service providers (CSPs) are slowly adopting automated processes for their Internet of Things (IoT) network architecture, with more than 80% of CSPs who participated in this month's...
Move Securely to the Cloud: Gain the Advantages
Organizations can reap the full benefits of the cloud and avoid potential security risks by following four fundamental steps.
Industry Voices—Doyle: 5 myths about multi-access edge computing
Multi-access edge computing (MEC) is a network architecture that supports compute and storage capacity at the edge of the network. Proponents believe that MEC provides substantial performance...
AT&T's Gilbert: AI Critical to 5G Infrastructure
AI and machine learning are essential to scaling the deployment and configuration of the exploding numbers of cellsites needed for 5G, says Mazin Gilbert in the first of a two-part series.
Vodafone's Heeran: Time to move on from NFV; focus instead on cloud
Vodafone's Fran Heeran is pretty much done with NFV and ready to bear down on cloudifcation. Heeran took over the reins of Vodafone's virtualization effort in July of last year when he was hired...
Lean, Mean & Agile Hacking Machine
Hackers are thinking more like developers to evade detection and are becoming more precise in their targeting.
Fortinet Adds Network Access Control for IoT Security to Its Security Fabric
The company acquired NAC vendor Bradford Networks earlier this summer. Today it’s essentially rebranding Bradford’s technology as FortiNAC. Visit us at www.sdncentral.com for the complete...
Collaboration will be key for telcos in an era of shared 5G networks
The sheer cost of rolling out a nationwide 5G network may not be justifiable based on the potential returns any single operator will be able to generate.
Growing fangs: Immutable workloads and the tansforming telco (Reader Forum)
FANG – Facebook, Amazon, Netflix and Google – is taking a bite out of traditional service providers’ business. By competing with telecommunication service providers (telcos) to create and optimize...
How Some Service Providers Are Using SD-WAN the Wrong Way
Most current SD-WAN services are too limited in scope and too defensive in strategy, a veteran analyst warns.
Transforming legacy infrastructure into powerful and profitable next-generation cloud communications services (Reader Forum)
To quote the famous Rolling Stones song, “You can’t always get what you want, but you can get what you need.” That’s wisdom for communications service providers (CSPs) and the large, global...
AT&T, Verizon, T-Mobile and Sprint rally around security standard for IoT
U.S. wireless industry association CTIA announced a new security certification program targeting the IoT space.
Telecom networks under far greater malware pressure than global norm: Lastline
Telecommunications networks are a proving ground for cybercriminals and their malware, according to Lastline's Global Threat Intelligence Network.
Survey says: 12% of operators moving to commercial 5G deployment by year’s end