Accenture has confirmed that private data across four cloud servers hosted on Amazon S3 storage service were accidentally left open, exposing highly sensitive passwords and decryption keys.
Chris Vickery, director of cyber risk research at security firm UpGuard, discovered the mistake in mid-September and informed Accenture about this. The company secured the four cloud servers immediately.
The servers which were unsecured contain information about company’s enterprise cloud offering which is the service used by the majority of the Fortune 100 companies, and it also contained private signing key, passwords (some of them were stored in plain text).
Accenture’s master key for its Amazon Web Service’s Key Management System (KMS) was also found on this server which can be used to take full control over the company’s encrypted data stored on Amazon servers.
Vickery said that he found a folder which contains stored Keys and certificates which can be used to decrypt traffic between Accenture and its customers, and also discovered some credentials which seem to be related to Accenture’s access to the company’s data which is stored in Google and Microsoft’s cloud platforms.
The hacker could access Accenture internal corporate network using that data and credentials.
According to Vickery, Accenture was using the Amazon servers to transfer data from development to production. The largest server contained 137 gigabytes of data with a large database of credentials.
One of the servers had hashed passwords and around 40,000 plain text passwords in a separate backup. It also contained access keys to Accenture Enstratus cloud management platform and data from its Zenoss event tracker system.
Dan O’Sullivan, Upguard said in blog post that “the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”
“We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system,” said the Accenture spokesperson.
The company said that the forensic investigation is still going on, and no unauthorized access to servers was found until now.
You may be interested in reading: Information Security Awareness Program – What is the Key to Make it a Success?