Story image

Accenture's data breach stark reminder of server misconfiguration dangers

11 Oct 2017

Global corporate consulting and management firm Accenture is now the subject of a major data breach after researchers from security firm UpGuard revealed the company had failed to secure at least four of its cloud-based storage servers, leaving information publicly downloadable.

The storage servers are believed to be part of Accenture Cloud Platform, which is used by many high-profile customers worldwide.

The servers, hosted on Amazon Web Services S3 storage buckets, contained confidential customer information, authentication credentials, certificates, decryption keys and secret API data.

According to UpGuard’s cyber resilience analyst Dan O’Sullivan, attackers could have harvested even more data that could be used to attack the company and its customers.

Fellow researcher Chris Vickory discovered the breach in September and promptly notified Accenture. The company secured all four servers the following day.

UpGuard says the breach demonstrates that even the largest enterprises can be caught by a breach, exposing sensitive data and risking severe damage.

RedLock CEO Varun Badhwar says the incident is unfortunate but not surprising, because cloud misconfigurations have led to many organisations inadvertently exposing services to the public.

“The fact that a large database of credentials was compromised in this breach creates additional opportunities for hackers to infiltrate the network. It’s imperative that any organisation facing this type of incident replace all compromised credentials immediately. But more importantly, they must vigilantly monitor their environments for intrusions by looking for suspicious activities to contain any potential breaches,” Badhwar comments.

The four storage buckets’ AWS subdomains ‘acp-deployment’, ‘acpcollector’, ‘acp-software’, and ‘acp-ssl’ all contained ‘significant’ internal company data, cloud platforms and configurations.

The ‘acp-deployment’ bucket appeared to store internal access keys and credentials for the Identity API, as well as a document that contained the master access key for AWS Key Management Service. It also included a document suspected to be the password for decrypting different files.

The ‘acpcollector’ bucket contained VPN keys for Accenture’s private network, as well as log information.

‘Acp-software’ was a large 137GB bucket that contained database dumps with the company’s Google and Azure account credentials, as well as credentials from some Accenture clients. Credentials included hashed and unhashed passwords.

Access keys for Enstratus, a cloud infrastructure management platform, are also exposed here, potentially leaking the data of other tools coordinated by Enstratus,” O’Sullivan says in a blog.

Data dumps from Accenture’s choice of event tracker, Zenoss, which records new user creation, IP addresses and JSession IDs are also part of the bucket.

 The ‘acp-ssl’ bucket contained key stores that could access different Accenture environments, including private keys and certificates.

O’Sullivan says that during the period the servers were open to public access, anyone who found the URLs could have caused major damage to the company.

“It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients,” he says in the blog.

"Enterprises must be able to secure their data against exposures of this type, which could have been prevented with a simple password requirement added to each bucket.”

“How can we ensure all of our systems are configured as they need to be, even at scale? Until such enterprises can trust that their systems are only accessible as needed, hugely damaging exposures of this type will persist, exposing us all to the brunt of cyber risk.”

Kiwis know security is important, but they're not doing much about it
Only 49% of respondents use antivirus software and even fewer – just 19% -  change their passwords regularly.
Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.