Accenture left private data exposed to public on misconfigured AWS storage
Global management consulting and professional services firm Accenture PLC is the latest in a growing line of companies that have exposed private data online by erroneously configuring an Amazon Web Services Inc. S3 storage bucket.
The data exposure was first detected by security researchers at UpGuard Inc., which said in a blog post that the company had left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret application programming interface data, authentication credentials, certificates, decryption keys, customer information and more data that could have been used to attack both Accenture and its clients.
The content publicly exposed on the servers is said to include software for the corporation’s enterprise cloud offering. It’s a “multi-cloud management platform” used by Accenture’s customers, which include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500. The researchers noted that if the data had been accessed by malicious actors, it could have been used for critical secondary attacks against the clients.
Sanjay Beri, chief executive officer at cloud security company Netskope Inc., told SiliconANGLE that the news of Accenture’s gross ineptitude in leaving critical data exposed to the public should be the “the last straw in the wave of news about these breaches lately.”
“Accenture is exceptionally fortunate that client data was not exposed in this breach, which happened due to misconfigured AWS S3 buckets — a growing vulnerability for organizations across the board,” Beri said. “It’s a growing threat, as seen with this breach along with other recent major breaches such as Dow Jones’ and Verizon’s, and companies need to take the necessary security precautions to solve what’s ultimately an extremely avoidable issue.”
Being somewhat reasonable about the situation, Beri added that “misconfigured buckets are often the result of innocent oversights that can otherwise be checked by automation in the form of access control and anomaly detection, as well as continued employee education.”
Still, he said, “organizations are running out of excuses when it comes to vulnerable infrastructure, so let’s hope that this latest incident serves as a much-needed wakeup call.”
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.