Accenture has confirmed that highly sensitive company data was left sitting on an unlocked cloud server.
The tech giant confessed that a huge database, including hundreds of gigabytes of data for the company’s enterprise cloud offering, was left on four unsecured Amazon S3 servers.
The data included highly sensitive passwords and secret decryption keys, which could have inflicted significant damage on both the company and its clients. To put things into perspective, Accenture’s clients are Fortune 100.
The data was uploaded in such a way that anyone who knew the servers’ addresses could have walked in and taken the data.
Chris Vickery, director of cyber risk research at security firm UpGuard, found out about the oversight in September, and notified Accenture. Servers were secured, in quiet, the next day.
Kenneth White, a security expert, said the exposure of master keys is as "bad as it gets for a cloud service provider." “Whatever assets and infrastructure was being protected by this KMS master key must be assumed to be completely compromised," said White.
According to ZDNet, Accenture first tried to downplay the incident, saying the data was less than half a per cent of its cloud service and that none of its clients’ information was involved.
Later, however, the company confirmed that the investigation was ongoing.
"We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system," the spokesperson said.
Image Credit: Rawpixel.com / Shutterstock