Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Accenture Exposed Data via Unprotected Cloud Storage Bucket

Consulting and technology services giant Accenture inadvertently exposed potentially sensitive information by leaving it unprotected in four Amazon Web Services (AWS) S3 buckets.

Consulting and technology services giant Accenture inadvertently exposed potentially sensitive information by leaving it unprotected in four Amazon Web Services (AWS) S3 buckets.

The cloud storage containers were discovered on September 17 by Chris Vickery of cyber resilience company UpGuard and they were secured a couple of days later after Vickery notified Accenture of his findings.

The largest of the buckets stored 137 GB of data, including 40,000 plaintext passwords, hashed passwords, access keys for the Enstratus cloud infrastructure management platform, email data, and information on the consulting firm’s ASGARD database. The same container also stored credentials for Accenture’s Google and Azure accounts, and data dumps from an event tracker, including IP addresses and other Accenture client data.

Another bucket stored internal access keys and credentials for an API apparently used by Accenture to authenticate credentials, configuration files for the same API, a master access key for the company’s AWS Key Management Service account, and private signing keys.

The unprotected containers also stored information on Accenture’s cloud stores, including VPN keys and other data that UpGuard believes could have been used by malicious actors to obtain insight into the company’s operations.

Some of the private keys and certificates found in one of the buckets may have allowed attackers to decrypt traffic between Accenture and its clients, UpGuard said.

“Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage,” explained UpGuard’s Dan O’Sullivan.

“It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information,” O’Sullivan added.

Advertisement. Scroll to continue reading.

However, Accenture, whose customers include 94 of the Fortune Global 100 companies, has downplayed the potential impact of the leak, claiming that there was no risk to any of its clients and that no active credentials or other information had been compromised. The company said none of the exposed files stored production data and the credentials could not have been used to access customer systems. Accenture is also confident that its security systems would have caught any intrusion attempts.

This is not the first time UpGuard has found an unprotected AWS S3 bucket exposing sensitive information. In the past months, the company discovered that a Republican Party contractor exposing the details of 198 million American voters, recruiting firm TalentPen exposing information on job applicants at security firm TigerSwan, a call center services provider exposing the details of Verizon customers, and Booz Allen Hamilton exposing U.S. military files. In all cases, data was leaked online due to unprotected Amazon Web Services (AWS) S3 buckets.

In order to help organizations prevent leaks caused by third-party vendors, UpGuard announced on Tuesday the launch of CyberRisk, a new product that automates risk assessment for third-party vendors.

Related: Accenture Launches Platform Powered by Palo Alto, Splunk, Tanium

Related: AWS Bucket Leaks Viacom Critical Data

Related: Millions of Dow Jones Customer Records Exposed Online

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...