Accenture Latest Company To Leave Critical Data Exposed On Amazon Web Services Server
Accenture is the latest company to expose private data on an Amazon Web Services server, news that comes as the systems integrator giant looks to ramp up its security practice.
The UpGuard Cyber Risk Team revealed in a blog post Tuesday that it had found multiple AWS S3 storage buckets left unsecured by Accenture. The blog said the servers were configured for public access and were publicly downloadable. The exposed data was discovered on Sept. 17 by UpGuard Director of Cyber Risk Research Chris Vickery.
The blog said those servers – at least four in number – looked to be related to software for the company's Accenture Cloud Platform. The data included information on the inner workings of the cloud platform and clients using the platform.
[Related: AWS Warns Users To Secure Storage Buckets]
The blog post said the unsecured server exposed secret API data, authentication credentials, certificates, decryption keys, customer information and "more data that could have been used to attack both Accenture and its clients."
"The significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage," the blog post said. The blog post said hackers could have used the information exposed to impersonate Accenture, gather information on clients through the company's IT networks, or take advantage of password reuse, among other things.
In an email to CRN, an Accenture spokesperson said there was no evidence that any client information was compromised, as the company has other security protections in place that would prevent it.
"There was no risk to any of our clients -- no active credentials, PII or other sensitive information compromised. We have a multi-layered security model, and the data in question would not have allowed anyone that found it to penetrate any of those layers. The information involved could not have provided access to client systems and was not production data or applications," the spokesperson said.
The Accenture data exposure is just the latest example in a series of public cloud data leaks in recent months, primarily surrounding unsecured AWS S3 storage buckets. Recent examples include leaks at Verizon, Dow Jones & Company, the Republication National Committee, World Wrestling Entertainment and TigarSwan.
Amazon issued a letter to customers in July warning them to re-examine S3 storage drives with policies allowing their contents to be shared. AWS sent emails to an undisclosed number of customers, pointing out to them the S3 buckets in their accounts that have no controls barring public access, and advising them to re-examine if the contents needed to be secured.
The news comes as Accenture, No. 2 on the CRN 2017 Solution Provider 500 list, looks to build out its security practice. Accenture has bet big on security and seen strong growth in that area, with the combination of digital cloud and security-related services accounting for more than half of the company's total revenue in its most recent quarter.
Meanwhile, in September, reports emerged that Deloitte, No. 18 on the 2017 CRN Solution Provider 500 list, had been hacked. A Guardian report said a Deloitte global email server was hacked, which gave hackers access to emails to and from the company's staff, as well as customer information on some of the company's top federal and private sector clients. The report said the hackers could have also accessed other information, such as usernames, passwords, IP addresses and architectural design diagrams.