Consulting giant Accenture left critical data exposed on Amazon3.

  • Similar: Study: Lax Security Enforcement Behind Amazon’s Rise in 3 Exposures

Accenture, a global IT services and consulting firm with a long list of high-profile clients, left critical data open for the public on Amazon Web Services (AWS). This information was revealed Tuesday by UpGuard Inc. The cybersecurity firm discovered that four Amazon Simple Storage Service buckets (S3) owned by Accenture were misconfigured to allow public accessibility. Accenture confirmed UpGuard’s report and secured the servers on September 19, two days after UpGuard discovered them. UpGuard has found many high-profile organizations that have abused Amazon S3 configurations. The company has spent the last few months uncovering similar security issues by the Republican National Committee (Viacom), Verizon, Dow Jones & Company and the Chicago Election Board. According to UpGuard, Accenture’s four unprotected Amazon S3 buckets contained “secret API data,” certificates, decryption key, customer information, and other data that could have been used for attacks on both Accenture as well as its clients.” Because of Accenture’s size, customer base, and financial resources, cybercriminals could have had devastating consequences. Accenture has operations across 55 countries and customers in 120 countries. These customers include 75 percent of Fortune Global 500. UpGuard’s report stated that these cloud servers could have exposed Accenture and its top-flight corporate clients to malicious attacks. It is possible that a malicious actor could have used these keys to impersonate Accenture and skulk around the IT environment of the company to find more information. The four Amazon S3 servers that were misconfigured — titled “acpdeployment,” ‘acpcollector,” ‘acpsoftware” and ‘acpssl”, belonged to an “awsacp0175”. They contained data about Accenture, its clients, and its Accenture Cloud Platform. UpGuard discovered the following information:

  • Credentials used to authenticate the Identity API authentication service
  • Accenture’s AWS Key Management Service account “master access key”
  • VPN keys for Accenture’s private networks
  • Passwords (both plaintext and hashed) for Accenture clients
  • Log in credentials to Accenture’s Microsoft Azure or Google accounts

Amazon S3 buckets can only be accessed by the account owner by default. UpGuard stated that Accenture’s data could not have been exposed if they had added a simple password requirement to each Amazon S3 bucket. AWS issued a reminder in July to its users to review their Amazon S3 bucket configurations and make sure they are not accidentally made public in response to several reports about unsecured Amazon S3 buckets that exposed critical data. Accenture, on its part, stated in a statement to ZDNet, that it found no immediate threat to its clients from the unsecured Amazon S3 Buckets. It also said that the data UpGuard discovered is more than 2 years old and was only used for “a decommissioned” system.