Accenture exposed customer’s private data, and could have experienced a major breach, by failing to secure cloud storage hosted by Amazon Web Services.
The potential breach was discovered last month by Chris Vickery, the director of cyber risk research at UpGuard, who alerted Accenture to the situation.
The corporate consulting and management firm left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both Accenture and its clients.
UpGuard says that servers’ contents appear to be the software for the corporation’s enterprise cloud offering, Accenture Cloud Platform.
This service is described by Accenture as a multi-cloud management platform used by its customers, including 75% of the Fortune 500.
Vickery discovered four Amazon Web Services S3 storage buckets configured for public access, downloadable to anyone who entered the buckets’ web addresses into their internet browser.
“Taken together, the significance of these exposed buckets is hard to overstate,” UpGuard writes. “In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”