Numerous companies have shamed themselves by posting their sensitive data and encryption keys to public cloud without any protection, where cyber criminals and security researches find them.
What is the better way to get a bad dent to the “professional” cover of the data security consultanting company than doing exactly this? And yet those companies keep doing exactly that mistake one after each another. Like consulting companies saying together “do not do like I do, do like I say you should do”.
First Deloitte leaked data to clouds, and no Accenture seems to be following this disconcerning trend: first leak the secret keys to kingdom and then try to downplay incident in PR (who will believe those downplay stories anymore?)
Accenture – Embarrassing data leak business data in a public Amazon S3 bucket
http://securityaffairs.co/wordpress/64150/data-breach/accenture-data-leak.html
The leading global professional services company Accenture exposed its business data in a public Amazon S3 bucket. Disconcerting!
The incident exposed internal Accenture private keys, secret API data, and other information, a gift for attackers that want to target the firm or its clients.
11 Comments
Tomi Engdahl says:
How about the game with security software?
First big move:
How Israel Caught Russian Hackers Scouring the World for U.S. Secrets
https://mobile.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html?smid=tw-nytimes&smtyp=cur&referer=http://m.facebook.com/
Tomi Engdahl says:
System Shock: How A Cloud Leak Exposed Accenture’s Business
https://www.upguard.com/breaches/cloud-leak-accenture
The UpGuard Cyber Risk Team can now reveal that Accenture, one of the world’s largest corporate consulting and management firms, left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients. The servers’ contents appear to be the software for the corporation’s enterprise cloud offering, Accenture Cloud Platform, a “multi-cloud management platform” used by Accenture’s customers, which “include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500” – raising the possibility that, if valid, exposed Accenture data could have been used for critical secondary attacks against these clients. With a CSTAR cyber risk score of 790 out of a possible 950, this cloud leak shows that even the most advanced and secure enterprises can expose crucial data and risk serious consequences.
The Discovery
On September 17th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered four Amazon Web Services S3 storage buckets configured for public access, downloadable to anyone who entered the buckets’ web addresses into their internet browser. A cursory analysis on September 18th of the four buckets – titled with the AWS subdomains “acp-deployment,” “acpcollector,” “acp-software,” and “acp-ssl” – revealed significant internal Accenture data, including cloud platform credentials and configurations, prompted Vickery to notify the corporation; the four AWS servers were secured the next day.
All four S3 buckets contain highly sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform. All were maintained by an account named “awsacp0175,” a possible indication of the buckets’ origin.
Also contained in the bucket is a number of “client.jks” files – stored in some cases alongside what is believed to be the plaintext password necessary to decrypt the file. It is unknown precisely what the keys in “clients.jks” could be used to access. Private signing keys were also exposed within these files – placing a critical tool in the hands of anyone who encountered them.
At a size of 137 GB, the bucket “acp-software” is much larger, giving some indication of its contents: large database dumps that include credentials, some of which appear to be for some Accenture clients. While many of the passwords contained here are hashed – passwords mathematically transformed into an alphanumeric string – a collection of nearly 40,000 plaintext passwords is present in one of the database backups. Access keys for Enstratus, a cloud infrastructure management platform, are also exposed here, potentially leaking the data of other tools coordinated by Enstratus. Information about Accenture’s ASGARD database, as well as internal Accenture email info, are also contained here.
Tomi Engdahl says:
Accenture – Embarrassing data leak business data in a public Amazon S3 bucket
http://securityaffairs.co/wordpress/64150/data-breach/accenture-data-leak.html
The leading global professional services company Accenture exposed its business data in a public Amazon S3 bucket. Disconcerting!
Another Tech giant has fallen victim of an embarrassing data leak, this time the leading global professional services company Accenture exposed its business data in a public Amazon S3 bucket.
The incident exposed internal Accenture private keys, secret API data, and other information, a gift for attackers that want to target the firm or its clients
Tomi Engdahl says:
https://www.reddit.com/r/sysadmin/comments/75iwap/accenture_data_breach/
Chris Vickery here, Director of Cyber Risk Research at UpGuard. News broke today of a data exposure I personally discovered, involving Accenture, a company which serves over 75% of Fortune 500 companies.
“Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.
The servers, hosted on Amazon’s S3 storage service, contained hundreds of gigabytes of data for the company’s enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.
The data could be downloaded without a password by anyone who knew the servers’ web addresses.
…”
Tomi Engdahl says:
Accenture left a huge trove of highly sensitive data on exposed servers
The four exposed servers had no password, but contained the “keys to the kingdom.”
http://www.zdnet.com/article/accenture-left-a-huge-trove-of-client-passwords-on-exposed-servers/
Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.
The servers, hosted on Amazon’s S3 storage service, contained hundreds of gigabytes of data for the company’s enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.
The data could be downloaded without a password by anyone who knew the servers’ web addresses.
Chris Vickery, director of cyber risk research at security firm UpGuard, found the data and privately told Accenture of the exposure in mid-September. The four servers were quietly secured the next day.
According to Vickery, the four servers contained data that amounted to the “keys to the kingdom,” he told ZDNet on a call last week.
Each server contained a range of different types of credentials, including private signing keys that could be used to impersonate the company, and passwords — some of which were stored in plaintext.
Vickery said he also found Accenture’s master keys for its Amazon Web Service’s Key Management System (KMS), which if stolen could allow an attacker full control over the company’s encrypted data stored on Amazon’s servers.
Kenneth White, a security expert, said the exposure of master keys is as “bad as it gets for a cloud service provider.”
“Whatever assets and infrastructure was being protected by this KMS master key must be assumed to be completely compromised,” said White.
Tomi Engdahl says:
This Accenture advertisement:
Imagine a scenario where an attacker breached the perimeter boundary and business continued as usual.
https://www.accenture.com/us-en/insight-what-if-there-was-security-breach-nobody-cared
No televised news segment. No newspaper article. No walk down the long corridor to the boss’s office.
It’s a scenario that becomes a reality with a fundamental shift in security posture focused on data-centric security.
Chief information officers (CIOs), chief information security officers (CISOs) and business leaders face a perfect storm of exponentially increasing volumes of data, types and quantity of devices, and velocity of threats.
Tomi Engdahl says:
Accenture latest to breach client data due to misconfigured AWS server
http://www.healthcareitnews.com/news/accenture-latest-breach-client-data-due-misconfigured-aws-server
Hundreds of gigabytes of sensitive client and company data were exposed when the tech and cloud giant accidentally left four of its AWS S3 buckets open to the public.
Technology and cloud leader Accenture inadvertently left four Amazon Web Services S3 buckets open to the public, which could have allowed any user to download the contents, according to a report from UpGuard security researcher Chris Vickery.
Vickery discovered the unsecured buckets on Sept. 17, finding the databases contained confidential API data, customer information and certificates.
The largest exposed server contained more than 137 gigabytes of data, including databases of credentials — some appeared directly related to Accenture customers, Vickery wrote. In one backup database, nearly 40,000 passwords were stored. And the majority were in plain text.
Other exposed data included sensitive passwords, secret decryption keys, software for the Accenture Cloud Platform offering and other sensitive data. Each of the four servers held a wide range of credentials and private signing keys, and some were stored in plaintext.
If any of this data was obtained by a nefarious actor, it “could have been used to attack both Accenture and its clients,” Vickery wrote.
Specifically, if hackers accessed the Accenture Cloud Platform software, used by its customers that “include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500,” the exposed data could be used in critical secondary attacks against Accenture’s clients.
“This cloud leak shows that even the most advanced and secure enterprises can expose crucial data and risk serious consequences,” Vickery wrote.
The data was misconfigured in a way that anyone who knew the addresses of the buckets could download the data — without a password
Vickery notified Accenture of the breach immediately, and the company quietly secured the servers the following day.
“Taken together, the significance of these exposed buckets is hard to overstate,” Vickery wrote. “In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”
Tomi Engdahl says:
Accenture left four servers of sensitive data completely unprotected
Cybersecurity firm UpGuard discovered the data last month.
https://www.engadget.com/2017/10/10/accenture-four-servers-sensitive-data-unprotected/
UpGuard has yet again uncovered a trove of corporate data left unprotected, this time from major consulting and management firm Accenture. The data — contained on four cloud-based storage servers — were discovered by UpGuard Director of Cyber Risk
UpGuard quickly notified Accenture after discovering the exposed data and the company secured the servers soon thereafter. Accenture also said that UpGuard was the only non-authorized visitor to access the servers. Accenture told ZDNet, “We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system.”
Tomi Engdahl says:
Accenture Latest Company To Leave Critical Data Exposed On Amazon Web Services Server
http://www.crn.com/news/security/300093646/accenture-latest-company-to-leave-critical-data-exposed-on-amazon-web-services-server.htm
Tomi Engdahl says:
Accenture inadvertently exposes highly sensitive corporate, client data online
https://www.helpnetsecurity.com/2017/10/10/accenture-data-exposed/
Corporate consulting giant Accenture left bucketloads of sensitive corporate and client data exposed online for anyone to access. Luckily for them, it seems that UpGuard director of cyber risk research Chris Vickery was the only one who stumbled upon it.
Tomi Engdahl says:
UpGuard Reports Accenture Data Exposure, Debuts Risk Detection Service
http://www.eweek.com/security/upguard-reports-accenture-data-exposure-debuts-risk-detection-service
Security vendor claims Accenture left multiple cloud based storage servers unsecured, though Accenture is downplaying the risk.
Many of UpGuard’s security breach disclosures have involved organizations, like Accenture, that have left data improperly secured in an Amazon S3 storage bucket. At the AWS Summit in August 2017, Amazon took aim at that specific issue with Macie Machine Learning service that helps organizations to detect confidential information that is in the cloud. Baukes commented that what UpGuard is providing is a more comprehensive approach than what is available on AWS alone.
“Not everyone is on Amazon, the breaches that we have found are not just Amazon S3 buckets, there are many other vectors,” Baukes said.