(Image: file photo) Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers. The servers, hosted on Amazon's S3 storage service, contained hundreds of gigabytes of data for the company's enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.The data could be downloaded without a password by anyone who knew the servers' web addresses.Chris Vickery, director of cyber risk research at security firm UpGuard, found the data and privately told Accenture of the exposure in mid-September. The four servers were quietly secured the next day.According to Vickery, the four servers contained data that amounted to the "keys to the kingdom," he told ZDNet on a call last week. Each server contained a range of different types of credentials, including private signing keys that could be used to impersonate the company, and passwords -- some of which were stored in plaintext. Vickery said he also found Accenture's master keys for its Amazon Web Service's Key Management System (KMS), which if stolen could allow an attacker full control over the company's encrypted data stored on Amazon's servers.Kenneth White, a security expert, said the exposure of master keys is as "bad as it gets for a cloud service provider." "Whatever assets and infrastructure was being protected by this KMS master key must be assumed to be completely compromised," said White.One of the other servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture's access to Google's Cloud Platform and Microsoft's Azure, which could give an attacker further access to the company's cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture's internal corporate network. According to Vickery, the largest server contained over 137 gigabytes of data, which included large databases of credentials, some of which appeared to relate directly to Accenture customers. Vickery also found almost 40,000 passwords in one backup database -- the vast majority were stored in plaintext.When ZDNet first reached out to Accenture, the company downplayed the exposure, saying the data was less than half a percent of its cloud service, and that "none of our client's information was involved and there was no risk to any of our clients," citing the company's "multi-layered security model."When we challenged that assertion based on the information Vickery had seen, a spokesperson later said that an investigation was ongoing."We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system," the spokesperson said.Accenture isn't the first company to be stung by this kind of data exposure. In recent months, a spate of high-profile companies, including phone companies and voter records analytics firms, have exposed sensitive data because they allowed their Amazon cloud servers to sit open and unsecured.Vickery said that Accenture was likely using the Amazon servers to migrate data from development to production. While some of the data he found included test accounts, he said many of the credentials "would have led me to plenty of client data if I had been willing to take advantage of it." There was no way to know for sure as doing so would fall foul of US computer hacking laws, he said. "But if I have credentials for their production environments, it's pretty safe to say anyone using Accenture's Cloud Platform was at great risk," Vickery told ZDNet. UpGuard's Dan O'Sullivan, who blogged about the data discovery, said hackers could have done an "untold amount of financial damage" to Accenture and any of its cloud-using customers.We asked if anyone else had accessed the servers, the spokesperson said its logs showed access "by only a single non-authorized IP address which we traced back to a data security consultant who contacted us about about two weeks ago," referring to Vickery.We reached out to several companies whose credentials appeared in the data.None of the companies would speak on the record prior to publication. But one company said when they contacted Accenture, the company told them it was "not aware" of any breach or exposure.When asked, a spokesperson would not say if any Accenture customers had been informed of the data exposure. Contact me securely Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5. Read More
IoT security is critical, hard, achievable: 3 best network practices
The rapid adoption and deployment of IoT devices is a significant contributor to digital transformation. To...
Other content in this Stream
Vodafone, IBM hook up for 5G and cloud-based systems for businesses
Vodafone and IBM have forged a partnership to offer business services and applications that leverage the cloud, IoT, AI and 5G connectivity.
IBM, Vodafone Strike $550M Cloud Deal
US tech giant and UK telco team up to provide cloud and networking services to European business customers.
How 5G can unlock IoT's potential | ZDNet
The Internet of Things will involve an astounding amount of data—and the next generation of wireless communications could play a key role.
The Security Implications for 5G and IoT
With literally billions of IoT devices interconnected across a meshed edge environment, any device can become the weakest link in the security chain and expose the entire enterprise to risk....
Sprint Looks Ahead at 2019 to Broaden Its Managed SD-WAN Service
The provider is looking to bring in additional SD-WAN vendors and build universal CPE in 2019. Visit us at www.sdncentral.com for the complete article.
Will Emerging Threats Tip the Scales?
The traditional process of identifying a threat and then developing a counter defense, or even attempting to anticipate and neutralize new attack strategies, are becoming obsolete.
Fighting the Evolution of Malware
Malware is becoming increasingly destructive. This blog is a short history of this trend, along with steps organizations can take to combat it.
Not Business as Usual: Open Source Changes IT Operations
Open source doesn't just change software: It changes how IT does its job.
AT&T Expands Edge Computing Testing to Enterprise Use Cases
The carrier sees its 5G network technology and edge computing designs as useful to power everything from autonomous driving to video monitoring in smart cities.
Colt launches cloud-based Microsoft portfolio of services
Colt Technology Services announced on Thursday that it's blending its voice and data networks with Microsoft's suite of products for enterprise customers.
AT&T's New Nationwide, Mobile 5G Timeline
The carrier said it would offer nationwide 5G services by 2020 and its spectrum choice reveals some critical details about its coverage plans and its ability to compete with T-Mobile.
Redefining the Cloud and Cloud Security
While the business advantages of the cloud are significant, rapid migration is also introducing complexities and risks that few organizations have adequately prepared for—right at a time when the...
CES 2019: Sprint pairs Curiosity IoT with 5G to power smart cities, autonomous vehicles | ZDNet
Sprint is combining its Curiosity IoT platform and its 5G mobile network to power a smart city in South Carolina and an autonomous vehicle test track in Georgia, and to launch more precise mapping...
The new ways we could get hacked (and defended) in 2019
Experts from the NSA and Darktrace discuss AI, invisible security, and why you really need to change your passwords.
Containers are a work in progress for some telcos
Last year, Kubernetes took center stage in the telecommunications industry as the primary means for managing containers, but there's still work to do. The use of containers is already underway by...
Our Customers Emphasize the Value of FortiGate Secure SD-WAN in Gartner Peer Insights Reviews
Modern SD-WAN solutions not only need to offer uninterrupted application agility and simplicity, but they must also be reinforced with security features. Learn what customers have said about...
IoT: Living on the Edge
Where is your data when you need it? Edge computing offers an alternative to processing all data in the cloud or the data center.
2019: SD-WAN market continues to flourish, but changes are afoot
Using the proverbial hockey-stick analogy, SD-WAN will continue to move upward in 2019, but a maturing market will bring on some changes. There are plenty of fast-track growth numbers out there...
Top telco executives make their 2019 predictions
With 2018 rapidly heading toward the rearview mirror, it's time to take a look at what might be coming down the road in 2019.
Masergy's Ray Watson: Customers Want Security but Pay for Performance