Accenture narrowly avoided a massive data breach after it was revealed that the firm stored bundles of sensitive data containing decryption keys and customer information on four cloud servers without protecting them with passwords.
Sensitive information stored by Accenture on Amazon's S3 cloud bucket could have been accessed by anyone possessing the buckets’ web addresses.
The practice of large corporations storing huge quantities of sensitive corporate and customer information on unsecured cloud servers has almost become a trend- so much so that such instances hardly make it to the papers these days.
However, with nations tightening their data security laws, especially with regard to company-held customer data, lax cyber security approaches on part of large corporations may turn out to be costlier in reality than they can imagine.
In mid-September, security research firm UpGuard noticed the presence of four public-facing Amazon Web Services S3 storage buckets that contained sensitive Accenture data including secret APIs, authentication credentials, certificates, decryption keys, and customer information. All this data (up to 137GB) was publicly downloadable and could be accessed by anyone with web addresses for the four unsecured servers.
'Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these buckets, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage,' noted UpGuard.
Even though the data contained extremely sensitive details about Accenture and its customers, it could have been protected had Accenture included passwords in each of the four buckets. However, the firm, which is incidentally the sixth largest cybersecurity and security consultancy in the world, failed to implement this simple step.
UpGuard has indicated that it could be possible that a malicious actor 'could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information'. However, such a possibility hasn't been detected by Accenture or other security firms so far.
'We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system,' said Accenture to ZNet.
The firm also added that aside from UpGuard researchers, no non-authorised visitor accessed the said servers before they were secured.
This incident took place after Deloitte, one of the world's leading accountancy firms and also a renowned cyber security consultancy firm, was hit by a major cyber-attack that compromised not only sensitive emails from the firm's clients, but also 'usernames, passwords, IP addresses, architectural diagrams for businesses and health information'
Hackers were also able to access emails sent and received by 244,000 Deloitte employees. These emails were stored in the Azure cloud service offered by Microsoft.
“The number one greatest cyber threat to a business is their very own employees. Critical data is more accessible via mobile devices in our 24/7-connected, device-filled world,' said Darren Guccione, CEO, and Co-founder of Keeper Security, Inc.
'Poor password policies, the rise of mobile-targeted attacks and the influx of Internet of Things devices in the workplace is a recipe for disaster. The best way to reduce these risks is through software that can lock an employee’s device and at the same time, protect their passwords and other sensitive digital assets via a ubiquitous digital vault,' he added.
In a survey of more than 1,000 IT professionals conducted by Keeper Security, 54% of respondents said negligent employees were the root cause of a data breach. While only 43% of them have a password policy in place, 59% of respondents say they do not have visibility into their employees’ password practices.