SecuritySecurity Management

Accenture Exposes Sensitive Data On Unprotected AWS Servers

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

UPDATED: Security researchers find Accenture left four cloud-based storage servers unsecured but Accenture says customer data was never at risk

IT services giant Accenture is the latest culprit to be exposing customer data, after it failed to secure at least four cloud-based storage servers.

That was the warning from security specialists UpGuard, which found that despite Accenture being one of the world’s largest corporate consulting and management firms, it had left client data publicly downloadable.

It comes as rules concerning data breaches of customer data tighten up under the incoming GDPR rules, and could result in large fines for companies involved.

Accenture 6 Nations Gordon D'Arcy

UpGuard found the unsecured servers contained “secret API data, authentication credentials, certificates, decryption keys, customer information.” This information, it warned in a blog , could have been used to attack both Accenture and its clients.

“The servers’ contents appear to be the software for the corporation’s enterprise cloud offering, Accenture Cloud Platform, a ‘multi-cloud management platform’ used by Accenture’s customers, which ‘include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500’ – raising the possibility that, if valid, exposed Accenture data could have been used for critical secondary attacks against these clients,” wrote the researchers.

The discovery came last month when UpGuard Director of Cyber Risk Research Chris Vickery discovered four Amazon Web Services S3 storage buckets configured for public access, downloadable to anyone who entered the buckets’ web addresses into their internet browser.

To make matters worse, these S3 storage buckets contained “significant internal Accenture data, including cloud platform credentials and configurations.”

Vickery did the responsible thing and promptly notified Accenture, who secured the four AWS servers the next day.

All four S3 buckets contain highly sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform.

What makes this breach really concerning was that one of the storage buckets was mostly devoted to storing internal access keys and credentials for use by the Identity API, which is apparently used to authenticate credentials. Private signing keys were also exposed, as were credentials for what appear to be Accenture’s Google and Azure accounts, which could have been used to seize Accenture cloud assets.

“Taken together, the significance of these exposed buckets is hard to overstate,” wrote the researchers. “In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”

GDPR Deadline

Data breaches like these will be treated seriously under the strict Global Data Protection Regulations (GDPR), which will come into effect across Europe in May 2018.

The GDPR has been in the planning since January 2012, and it aims to give citizens back control over their data in the digital age, including the right to be forgotten. It also imposes tough financial penalties on businesses for not protecting data.

The GDPR replaces the Data Protection Directive that was introduced in 1995, and the new law takes into account the arrival of the Internet, smartphones, and social networking.

UPDATE: Accenture has denied the customer data was ever at risk

“There was no risk to any of our clients – no active credentials, PII and other sensitive information was compromised,” a spokesperson told Silicon. “We have a multi-layered security model, and the data in question would not have allowed anyone that found it to penetrate any of those layers.  The information involved could not have provided access to client systems and was not production data or applications.”

Quiz: How much do you know about the European Commission?