(Image: file photo) Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers. The servers, hosted on Amazon's S3 storage service, contained hundreds of gigabytes of data for the company's enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.The data could be downloaded without a password by anyone who knew the servers' web addresses.Chris Vickery, director of cyber risk research at security firm UpGuard, found the data and privately told Accenture of the exposure in mid-September. The four servers were quietly secured the next day.According to Vickery, the four servers contained data that amounted to the "keys to the kingdom," he told ZDNet on a call last week. Each server contained a range of different types of credentials, including private signing keys that could be used to impersonate the company, and passwords -- some of which were stored in plaintext. Vickery said he also found Accenture's master keys for its Amazon Web Service's Key Management System (KMS), which if stolen could allow an attacker full control over the company's encrypted data stored on Amazon's servers.Kenneth White, a security expert, said the exposure of master keys is as "bad as it gets for a cloud service provider." "Whatever assets and infrastructure was being protected by this KMS master key must be assumed to be completely compromised," said White.One of the other servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture's access to Google's Cloud Platform and Microsoft's Azure, which could give an attacker further access to the company's cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture's internal corporate network. According to Vickery, the largest server contained over 137 gigabytes of data, which included large databases of credentials, some of which appeared to relate directly to Accenture customers. Vickery also found almost 40,000 passwords in one backup database -- the vast majority were stored in plaintext.When ZDNet first reached out to Accenture, the company downplayed the exposure, saying the data was less than half a percent of its cloud service, and that "none of our client's information was involved and there was no risk to any of our clients," citing the company's "multi-layered security model."When we challenged that assertion based on the information Vickery had seen, a spokesperson later said that an investigation was ongoing."We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system," the spokesperson said.Accenture isn't the first company to be stung by this kind of data exposure. In recent months, a spate of high-profile companies, including phone companies and voter records analytics firms, have exposed sensitive data because they allowed their Amazon cloud servers to sit open and unsecured.Vickery said that Accenture was likely using the Amazon servers to migrate data from development to production. While some of the data he found included test accounts, he said many of the credentials "would have led me to plenty of client data if I had been willing to take advantage of it." There was no way to know for sure as doing so would fall foul of US computer hacking laws, he said. "But if I have credentials for their production environments, it's pretty safe to say anyone using Accenture's Cloud Platform was at great risk," Vickery told ZDNet. UpGuard's Dan O'Sullivan, who blogged about the data discovery, said hackers could have done an "untold amount of financial damage" to Accenture and any of its cloud-using customers.We asked if anyone else had accessed the servers, the spokesperson said its logs showed access "by only a single non-authorized IP address which we traced back to a data security consultant who contacted us about about two weeks ago," referring to Vickery.We reached out to several companies whose credentials appeared in the data.None of the companies would speak on the record prior to publication. But one company said when they contacted Accenture, the company told them it was "not aware" of any breach or exposure.When asked, a spokesperson would not say if any Accenture customers had been informed of the data exposure. Contact me securely Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5. Read More
IoT security is critical, hard, achievable: 3 best network practices
The rapid adoption and deployment of IoT devices is a significant contributor to digital transformation. To...
Other content in this Stream
IDG Contributor Network: The impact of human behavior on security
I recently saw an ad that read, “Security starts with people,” and it gave me pause. After twenty years in security, I’ve learned that security problems typically start with people, and having...
Fortinet Security Fabric Connectors Automate Management for Multi-Vendor Environments
It does this through one-click integrations with partners including AWS, Cisco ACI, Google Cloud Platform, Microsoft Azure, and VMware NSX.
Get Ready for Real Disruption: The State of NFV | Contributed Art
During the last five years, the state of NFV has been heating up, but in order to reach the next steps of innovation and growth the market must fill a numbe
How Fortinet Connects with Communications Service Providers (CSPs)
Fortinet’s charter with CSPs is to interpret market trends, address key issues, and help drive carrier businesses forward. By improving your competitive positioning, we help everyone make money....
Empowering Security in the CSP’s IoT Infrastructure and Services
CSPs are well-positioned to benefit from the continuing growth of Internet of Things (IoT) devices and related systems—but only as long as the infrastructure can support some IoT-specific...
CSPs bullish on digital transformations in theory but lacking in execution
While communications service providers (CSPs) realize the importance of implementing digital transformation strategies via partner ecosystems, the follow-through has largely been lacking. A study...
Thinking beyond the box – how Software Defined Networks are changing the future of connectivity
Software-Defined Networking is fast becoming THE must have technology. Verizon sponsored survey points to increased understanding of virtualization benefits.
GTT's Sahim: Standards Could Speed SD-WAN Adoption
Kevin Sahim, VP of Engineering, GTT, explains how service providers' delivery of multiple circuit options and hybrid security are important features for enterprise customers adopting SD-WAN.
Service Providers Grapple With ‘VNF Islands’
Newly released SDxCentral 2018 report on the VNF Ecosystem finds SD-WAN and vCPE are top use cases for NFV and the driving force behind service providers virtualizing their networks. Visit us at...
How Your Approach to SD-WAN Can Impact Your Network Security
Light Reading's flagship Big Communications Event is being held in Austin, Texas May 14-16, and Fortinet is proud to be a Gold sponsor for this year’s event. The conference, hosted by Heavy...
Fortinet Fabric Connectors: Enabling Deep Fabric Integration With Third Party Solutions
New Fabric Connectors tie traditionally disparate security solutions into a single, integrated system to automate security workflows, tighten SOC environments, correlate threat feeds, and...
State-of-the-Art Data Protection for GDPR
The extensive requirements and substantial fines of the EU’s GDPR have captured the attention of IT security directors around the world. See how Fortinet comes into play.
Q1 2018 Threat Landscape Report
Read our blog: https://www.fortinet.com/blog/threat-research/fortinet-threat-report-reveals-an-evolution-of-malware-to-exploi.html Fortinet has just released its Quarterly Threat Landscape Report fo
NFV Is Down but Not Out
NFV has failed to live up to the original expectations five years after it was first conceived. How can the industry ward off further technology disappointment?
Verizon: Service chains are essential, but automation needs more work
Verizon has orchestration in place across its network to support various delivery models and services, but closed-loop automation is lagging a bit. In an interview with FierceTelecom, Verizon's...
AT&T's BCE Keynote: 5G & SDN Worlds Colliding
At the Big Communications Event (BCE) 2018 event in Austin, Melissa Arnoldi, president of Technology and Operations at AT&T, spoke about AT&T's path to 5G and the important role software plays.
How to Build a Successful OPEX Security Service
BCE Panel: Open Source Makes Telcos 'Nimble'
Open source can drive agility and change, but telcos need to overcome cultural obstacles.
Verizon to Migrate 1,000 Biz Apps and Backend Systems to AWS
The deal bolsters Verizon’s overall operations, but it also boosts AWS’ position among the country’s largest telecom operators. Visit us at www.sdncentral.com for the complete article.
BT tunes white box strategy for disaggregation while developing cloud-native deployments