Consulting Giant Accenture Left Critical Data Exposed on Amazon S3
Accenture, one of the world's biggest IT services and consulting firms with a long roster of equally high-profile customers, left critical data to be exposed to the general public on the Amazon Web Services (AWS) cloud.
That news comes from a report released Tuesday by researchers at UpGuard Inc. The cybersecurity firm discovered four Amazon Simple Storage Service (S3) buckets owned by Accenture had been misconfigured to allow public access. Accenture, which confirmed UpGuard's report to ZDNet, secured the servers on Sept. 19, two days after they were discovered by UpGuard.
This is far from the first time that UpGuard has discovered a high-profile organization bungling its Amazon S3 configurations; the company has spent the past few months uncovering similar security missteps by the Republican National Committee, Verizon, Dow Jones & Company, the Chicago Election Board, military contractor TigerSwan and, most recently, Viacom.
In the case of Accenture, its four unprotected Amazon S3 buckets exposed "secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients," according to UpGuard. Given Accenture's size and customer base, the consequences of that data falling into the hands of cybercriminals would have been especially wide-ranging. Accenture has operations in 55 countries, with customers -- which include 75 percent of the Fortune Global 500 -- spread across 120 countries.
"In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage," UpGuard said in its report. "It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company's IT environment to gather more information."
The four misconfigured Amazon S3 servers -- named "acp-deployment," "acpcollector," "acp-software" and "acp-ssl" -- belonged to an account named "awsacp0175" and contained data related to Accenture's internal operations, its clients and its Accenture Cloud Platform. The exposed information that UpGuard discovered included:
- Credentials used for the Identity API authentication service
- The "master access key" for Accenture's AWS Key Management Service account
- VPN keys related to Accenture's private network
- Passwords (both hashed and plaintext) related to Accenture clients
- Log-in credentials for Accenture's Microsoft Azure and Google accounts
By default, Amazon S3 buckets are configured to be accessible only by the account owner. UpGuard said the exposure of Accenture's data could have been avoided by adding "a simple password requirement" to each Amazon S3 bucket. In response to a string of reports of unsecured Amazon S3 buckets exposing critical data, AWS issued a reminder to its users back in July to review their bucket configurations and ensure that they are not inadvertently set to be public.
For its part, Accenture said in its statement to ZDNet that it found no immediate risk to its clients stemming from the unsecured Amazon S3 buckets, and that the data UpGuard found is over 2 years old and worked only for "a decommissioned system."
Gladys Rama is the senior site producer for Redmondmag.com, RCPmag.com and MCPmag.com.