UPDATED 00:26 EDT / OCTOBER 11 2017

INFRA

Accenture left private data exposed to public on misconfigured AWS storage

Global management consulting and professional services firm Accenture PLC is the latest in a growing line of companies that have exposed private data online by erroneously configuring an Amazon Web Services Inc. S3 storage bucket.

The data exposure was first detected by security researchers at UpGuard Inc., which said in a blog post that the company had left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret application programming interface data, authentication credentials, certificates, decryption keys, customer information and more data that could have been used to attack both Accenture and its clients.

The content publicly exposed on the servers is said to include software for the corporation’s enterprise cloud offering. It’s a “multi-cloud management platform” used by Accenture’s customers, which include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500. The researchers noted that if the data had been accessed by malicious actors, it could have been used for critical secondary attacks against the clients.

Sanjay Beri, chief executive officer at cloud security company Netskope Inc., told SiliconANGLE that the news of Accenture’s gross ineptitude in leaving critical data exposed to the public should be the “the last straw in the wave of news about these breaches lately.”

“Accenture is exceptionally fortunate that client data was not exposed in this breach, which happened due to misconfigured AWS S3 buckets — a growing vulnerability for organizations across the board,” Beri said. “It’s a growing threat, as seen with this breach along with other recent major breaches such as Dow Jones’ and Verizon’s, and companies need to take the necessary security precautions to solve what’s ultimately an extremely avoidable issue.”

Being somewhat reasonable about the situation, Beri added that “misconfigured buckets are often the result of innocent oversights that can otherwise be checked by automation in the form of access control and anomaly detection, as well as continued employee education.”

Still, he said, “organizations are running out of excuses when it comes to vulnerable infrastructure, so let’s hope that this latest incident serves as a much-needed wakeup call.”

Photo: kathika/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.