Global consulting firm Accenture left a trove of sensitive customer data exposed on four unsecured Amazon Cloud servers, allowing anyone with knowledge of their web addresses to download the information, researchers said on Tuesday.
The cybersecurity firm UpGuard discovered in mid-September that four Amazon Web Services S3 storage buckets had been set up for public access. The buckets held API data, authentication credentials, decryption keys and customer information related to Accenture's cloud management platform.
Accenture’s cloud customers purportedly include 94 of the Fortune 100 companies.
“In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage,” UpGuard wrote in a blog post.
“It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The specter of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients.”
A spokesperson for Accenture insisted that there was no risk to the company's clients and that sensitive information was not compromised.
"There was no risk to any of our clients -- no active credentials, [personally identifiable information] or other sensitive information was compromised," the Accenture spokesperson told The Hill. "We have a multi-layered security model, and the data in question would not have allowed anyone that found it to penetrate any of those layers. The information involved could not have provided access to client systems and was not production data or applications."
Chris Vickery, director of cyber risk research at UpGuard, notified the company after making the discovery. Accenture secured the storage buckets the following day, UpGuard said.
UpGuard has made a number of notable discoveries concerning companies inadvertently exposing data on cloud servers. In July, the company’s research arm discovered that data on millions of Dow Jones customers had been potentially exposed to unauthorized access on Amazon Cloud as a result of a configuration error.
This post was updated at 5:32 p.m. to reflect the comment from Accenture.