Yet another huge security gaffe by a massive company.
There’s a growing list of companies that are accidentally exposing their goods to the entire internet, thanks to their blind reliance on Amazon’s S3 web hosting service. The latest company to fall victim to a “data overexposure” (the nice, friendly term for accidentally sticking all your information out there rather than being hacked in a data breach) is Accenture, one of the world’s largest corporate consulting and management firms – which counts the majority of the Fortune 100 companies as its customers.
Yes, as one researcher put it, Accenture’s data overexposure – for failing to secure four of its Amazon storage buckets – put “the keys to the kingdom” online for anyone to find. This is just the latest in a growing number of discoveries for security firm UpGuard’s director of cyber risk research Chris Vickery, who also discovered Dow Jones had done pretty much the same thing using the same platform back over the summer. Dow Jones, parent company of the Wall Street Journal, exposed the login in and partial payment credentials for its print and digital subscribers.
Basics not covered
Not only was Accenture’s data not password protected and could therefore be downloaded by anyone who knew its address, the information that it contained for Accenture’s customers included complete login details. According to the UpGuard report, “A cursory analysis … revealed significant internal Accenture data, including cloud platform credentials and configurations.” This information included hashed and unhashed passwords, among other sensitive data.
According to HealthcareITNews, “Other exposed data included sensitive passwords, secret decryption keys, software for the Accenture Cloud Platform offering and other sensitive data. Each of the four servers held a wide range of credentials and private signing keys, and some were stored in plaintext.”
Bigger issue?
This is by far not the first, nor the largest, company to expose itself thanks to not understanding how to secure its information. What isn’t readily apparent, however, is whether or not anyone before Vickery stumbled upon the information and used it for their own purposes…