Accenture – Embarrassing data leak business data in a public Amazon S3 bucket

Pierluigi Paganini October 11, 2017

The leading global professional services company Accenture exposed its business data in a public Amazon S3 bucket. Disconcerting!

Another Tech giant has fallen victim of an embarrassing data leak, this time the leading global professional services company Accenture exposed its business data in a public Amazon S3 bucket.

The incident exposed internal Accenture private keys, secret API data, and other information, a gift for attackers that want to target the firm or its clients

The unsecured Amazon S3 bucket was discovered by researchers at UpGuard that privately reported to Accenture on Sept. 17. The company solved the problem in one day.

“The UpGuard Cyber Risk Team can now reveal that Accenture, one of the world’s largest corporate consulting and management firms, left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients.” states the report published by UpGuard.

“Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”

Accenture data leak

The popular researcher Chris Vickery found four servers left open online containing a huge trove of company secrets such as authentication credentials, certificates, decryption key, logs of customer data, decryption keys, customer information, and more data that could have been used to target both Accenture and its clients.

Vickery also found software used by Accenture’s Cloud Platform enterprise-level management service.

Accenture is trying to downplay the data leak.

“There was no risk to any of our clients – no active credentials, PII and other sensitive information was compromised,” Accenture noted in a statement. “The information involved could not have provided access to client systems and was not production data or applications.”

“There was no risk to any of our clients – no active credentials, PII or other sensitive information was compromised,” “We have a multi-layered security model, and the data in question would not have allowed anyone that found it to penetrate any of those layers. The information involved could not have provided access to client systems and was not production data or applications.”

The four buckets discovered by Vickery are:

  • acp-deployment that contained internal access keys, credentials used by Accenture’s identity API, plaintext documents containing a master access key for Accenture’s account with Amazon Web Services’ Key Management Service, and also private signing keys.
  • acpcollector that contained data related to the maintenance of Accenture’s cloud stores, including VPN keys for the company’s private network and a master view of its cloud ecosystem.
  • acp-software is a 137 GB-bucket, the largest one, that contained database dumps of Accenture client credentials, hashed passwords and 40,000 plaintext passwords. It also included access keys for Accenture’s Enstratus cloud management platform and data from its Zenoss event tracker system, including JSession IDs that if not expired could be plugged into cookies in order to bypass authentication.
  • acp-ssl, contained encryption key stores that provide access to a number of Accenture environments. more key stores in a folder called “acp.aws.accenture.com,”  as well as certificates that, in theory, could be used to decrypt traffic between Accenture and clients.

This is absurd … One of the core services in the Accenture’s portfolio is the security of its customers. Who accessed the data of the company and its customers while it was unsecured only. The impact could be disastrous, probably many customers will choose partners that could ensure them a higher level of security.

In September Viacom Vickery discovered Viacom left the keys of its digital kingdom on a publicly exposed AWS S3 bucket.

Earlier September, researchers from cybersecurity company UpGuard have discovered thousands of files containing personal data on former US military, intelligence, and government workers have allegedly been exposed online for months.

On August, Vickery discovered more than 1.8 million voter records belonging to Americans have been accidentally leaked online by a US voting machine supplier for dozens of US states.

In June, Vickery discovered that a top defense contractor left tens of thousands sensitive Pentagon documents on Amazon Server Without any protection in places.

Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In July, he discovered data belonging to 14 million U.S.-based Verizon customers that have been exposed on an unprotected AWS Server by a partner of the telecommunications company. In December 2015, the security expert discovered U.S.-based Verizon customers that have been exposed on an unprotected AWS Server by a partner of the telecommunications company. In December 2015 the security expert discovered 191 million records belonging to US voters online, on April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.

In March, he announced a 1.37 billion records data leak, in June 2017 Vickery revealed the DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.

Recently also the giant Deloitte suffered an embarrassing incident that exposed clients’ secret emails.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Accenture, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment