Accenture latest to breach client data due to misconfigured AWS server

Hundreds of gigabytes of sensitive client and company data were exposed when the tech and cloud giant accidentally left four of its AWS S3 buckets open to the public.
By Jessica Davis
03:35 PM
Share
Accenture data breach

Photo via Michael Gray, Flickr.

Technology and cloud leader Accenture inadvertently left four Amazon Web Services S3 buckets open to the public, which could have allowed any user to download the contents, according to a report from UpGuard security researcher Chris Vickery.

Vickery discovered the unsecured buckets on Sept. 17, finding the databases contained confidential API data, customer information and certificates.

The largest exposed server contained more than 137 gigabytes of data, including databases of credentials -- some appeared directly related to Accenture customers, Vickery wrote. In one backup database, nearly 40,000 passwords were stored. And the majority were in plain text.

[Also: Cloud computing decision guide: Breaking down 7 top solutions for healthcare]

Other exposed data included sensitive passwords, secret decryption keys, software for the Accenture Cloud Platform offering and other sensitive data. Each of the four servers held a wide range of credentials and private signing keys, and some were stored in plaintext.

If any of this data was obtained by a nefarious actor, it “could have been used to attack both Accenture and its clients,” Vickery wrote.

Specifically, if hackers accessed the Accenture Cloud Platform software, used by its customers that “include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500,” the exposed data could be used in critical secondary attacks against Accenture’s clients.

[Also: The biggest healthcare breaches of 2017 (so far)]

“This cloud leak shows that even the most advanced and secure enterprises can expose crucial data and risk serious consequences,” Vickery wrote.

The data was misconfigured in a way that anyone who knew the addresses of the buckets could download the data -- without a password, he added.

One of the servers contained access keys to Enstratus, a cloud infrastructure management platform, which Vickery explained could potentially leak the data of other tools used by this platform.

Vickery notified Accenture of the breach immediately, and the company quietly secured the servers the following day.

“Taken together, the significance of these exposed buckets is hard to overstate,” Vickery wrote. “In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”

Specifically, a malicious actor could easily use the exposed keys to impersonate the company, which could allow them to quietly reside on the IT network, Vickery wrote. Further, there’s the added trouble of password reuse: a hacker could leverage the exposed passwords to be used on other sites, platforms or within the network.

Accenture is just one of many companies that have exposed client and or sensitive company data by accidently misconfiguring an AWS S3 cloud server. Verizon recently breached the data of 14 million customers in the same way.

Other high profile companies have fallen victim, including voter analytics firms, phone companies and even health systems have inadvertently breached data by failing to properly secure data stored on the cloud.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com