Accenture's data breach stark reminder of server misconfiguration dangers
FYI, this story is more than a year old
Global corporate consulting and management firm Accenture is now the subject of a major data breach after researchers from security firm UpGuard revealed the company had failed to secure at least four of its cloud-based storage servers, leaving information publicly downloadable.
The storage servers are believed to be part of Accenture Cloud Platform, which is used by many high-profile customers worldwide.
The servers, hosted on Amazon Web Services S3 storage buckets, contained confidential customer information, authentication credentials, certificates, decryption keys and secret API data.
According to UpGuard’s cyber resilience analyst Dan O’Sullivan, attackers could have harvested even more data that could be used to attack the company and its customers.
Fellow researcher Chris Vickory discovered the breach in September and promptly notified Accenture. The company secured all four servers the following day.
UpGuard says the breach demonstrates that even the largest enterprises can be caught by a breach, exposing sensitive data and risking severe damage.
RedLock CEO Varun Badhwar says the incident is unfortunate but not surprising, because cloud misconfigurations have led to many organisations inadvertently exposing services to the public.
“The fact that a large database of credentials was compromised in this breach creates additional opportunities for hackers to infiltrate the network. It’s imperative that any organisation facing this type of incident replace all compromised credentials immediately. But more importantly, they must vigilantly monitor their environments for intrusions by looking for suspicious activities to contain any potential breaches,” Badhwar comments.
The four storage buckets’ AWS subdomains ‘acp-deployment’, ‘acpcollector’, ‘acp-software’, and ‘acp-ssl’ all contained ‘significant’ internal company data, cloud platforms and configurations.
The ‘acp-deployment’ bucket appeared to store internal access keys and credentials for the Identity API, as well as a document that contained the master access key for AWS Key Management Service. It also included a document suspected to be the password for decrypting different files.
The ‘acpcollector’ bucket contained VPN keys for Accenture’s private network, as well as log information.
‘Acp-software’ was a large 137GB bucket that contained database dumps with the company’s Google and Azure account credentials, as well as credentials from some Accenture clients. Credentials included hashed and unhashed passwords.
Access keys for Enstratus, a cloud infrastructure management platform, are also exposed here, potentially leaking the data of other tools coordinated by Enstratus,” O’Sullivan says in a blog.
Data dumps from Accenture’s choice of event tracker, Zenoss, which records new user creation, IP addresses and JSession IDs are also part of the bucket.
The ‘acp-ssl’ bucket contained key stores that could access different Accenture environments, including private keys and certificates.
O’Sullivan says that during the period the servers were open to public access, anyone who found the URLs could have caused major damage to the company.
“It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients,” he says in the blog.
"Enterprises must be able to secure their data against exposures of this type, which could have been prevented with a simple password requirement added to each bucket.”
“How can we ensure all of our systems are configured as they need to be, even at scale? Until such enterprises can trust that their systems are only accessible as needed, hugely damaging exposures of this type will persist, exposing us all to the brunt of cyber risk.”