A few days ago, Accenture, the IT consulting giant, confirmed it had exposed sensitive information to the public internet. The finder, Upguard, reported the leak privately to Accenture in mid-September 2017, who fixed it within 24 hours. The breach impacted the Accenture Cloud Platform, hosted on Amazon S3 servers. Exposed details read like a who’s-who of sensitive information- private digital signature keys, plaintext passwords, certificates, internal emails, and confidential customer data. Reports indicate that four AWS servers suffered from this leakage. The leaked data included credentials for Azure and Google accounts, which implies the full scope of this and other breaches could be much worse than initially thought.
The kind of data leaked means that attackers have a pre-made list of passwords that could be used to access sensitive data. A more determined attacker can use the leaked private keys and certificates to impersonate an Accenture system or employee. They could then access all manner of sensitive internal data. Even worse, if a potential or current customer reaches out to the spoofed system, the attacker could compromise their data as well. The possibilities are endless.
As reported by Dan O’Sullivan, “Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.” No one, especially one of the Fortune Global 100 companies that employ Accenture, wants to work with someone so lax on security. When a company one trusts as a cybersecurity professional suffers from a breach so avoidable, it makes one wonder what else is wrong. What other data could have been leaked? Employee PII? Customer payment details? It will be interesting to see how Accenture’s perception as an IT security leader changes in the coming months.
Need some help with locking your cloud resources down? Not a problem; we’d love to help. Click here to contact us directly to see how we can work together. Don’t let what happened to Accenture happen to you.
– Upguard’s initial disclosure report
– Information Security Magazine’s coverage
Secure Compliance Solutions LLC (SCS) provides a wide range of CISO advisory consulting and Managed Security Services that help our clients build and strengthen their strategic Information Security and Data Privacy programs. SCS believes that a comprehensive implementation of industry-tested frameworks and standards not only helps organizations meet their compliance goals, but significantly strengthens overall security posture. We raise awareness of current security trends and risks to prepare personnel to recognize potential security issues. Our Managed Security Service is designed so clients can offload the responsibility of “constant watch” against both internal and external cyber threats and attacks. SCS helps our customers wade through complex and evolving cybersecurity regulations, and defends their business interests against increasingly sophisticated cyber threats. At SCS, we champion a strategy of readiness and resilience that facilitates business risk mitigation and enables dynamic response capabilities.