Cybersecurity consultancy firm Accenture in colossal data breach

Cybersecurity consultancy firm Accenture reportedly held an incredible amount of sensitive customer data on four cloud servers that were not password-protected. There were some 137GB of data on Amazon’s cloud bucket that included decryption keys, and without a password, the account was essentially available for access by the public.

The unsecured servers were discovered by a security research firm, UpGuard, in mid-September. They found:

• Secret Application Programming Interfaces
• Authentication credentials
• Certificates
• Decryption keys
• Customer information

The amount of information the Fortune Global 500 firm put at stake is probably enough to keep board members up at night.

What could have happened if someone with malicious intent found the exposed data?

The company notes on its websites that it works with many FTSE 100 companies, including “Unilever, Royal & Sun Alliance, BT, Vodafone, BP and Shell.” In working with these major firms, Accenture assumedly had access to sensitive customer data, or perhaps information that could have provided access to customer data.

As the world’s sixth largest cybersecurity and security-consultancy firm, failure to even put a password on the cloud buckets is astonishing and hardly instils confidence for corporate customers.

In the new modern world where files are accessed are shared across different platforms and firms, companies must ensure that they do their part when it comes to cybersecurity, or risk being the weakest link that drags the partnering organisations down with them.

It seems the business consultancy company should have taken a leaf from its own book; quite literally from its own research document Risk Management report from 2009. Eight years ago, it warned of the increasing problem cyber risks carried in the business world. It recommended Smart Technologists to “effectively support IT function by accurately reporting cyber risks to the board” and the use of “process controls” to take into account of cyber risks.

The company offers advice and support on:

• Cyber Risk and Resilience;
• Cyber Defence;
• Cyber Security.

UpGuard said:

“…taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these buckets, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.”

Even those with less than sophisticated IT skills could reportedly have been able to simply download the material and put it up-for-sale on the dark web.

Although no malicious activity or suspicious behaviour has been reported, UpGuard has not ruled out the possibility that someone has already “used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather information,” waiting for an opportune moment to strike.