It is an amazing story. Organization after organization uses a variety of Amazon services and organization after organization doesn’t seem to understand that if put data out in the cloud and you don’t protect it, it may be compromised.
Last month it was Deloitte.
This month it is Accenture.
I would be more sympathetic if the story was about Joe’s Plumbing, but it is not. Both Accenture and Deloitte have thousands of IT people working for them (no, probably, tens of thousands) and sell cyber security consulting.
Does it make sense to pay hefty fees for advice from companies that can’t even seem to follow simple recommendations like protecting sensitive data stored in the cloud?
This is not a story about some sophisticated nation state attack using unknown zero day exploits chained together in dizzying sophistication. No, this is a story of human error and bad cyber security hygiene. If Accenture had followed the advice that I am sure they give to their clients, I would not be writing this story.
So, what is the story?
One more time our friend Chris Vickery found four Accenture servers storing data in Amazon’s S3 cloud lieing there with no security. Remember that Amazon’s default is PRIVATE, so in order for it to be public, someone has to intentionally change it.
What was on these four servers you ask? Good question!
- Private signing keys that could be used to sign software and impersonate the company
- Passwords, some of which were stored in plain text – not encrypted
- Accenture’s master keys for their copy of Amazon’s Key Management System. What this is, basically, is the key to the vault. The Key Management System is a tool that Amazon sells to large customers who don’t trust Amazon to securely encrypt their data. They want to be able to encrypt their data and protect their own keys. Since, apparently, Accenture was neither encrypting this data nor protecting their encryption keys, they might have been better off letting Amazon do that job for them.
- Keys and certificates used to encrypt customer traffic
- One server contained 137 gigabytes of data, including almost 40,000 passwords.
Accenture, not surprisingly, likely worried about losing clients and being sued, said that none of its client’s information was involved. If that is true, what, exactly, were those 40,000 passwords and encryption keys protecting – Grandma Accenture’s Cole Slaw recipe? What was in the 137 gigabytes of data on that one server alone? I don’t quite buy that story. ZDNet called their bluff and they told them that an investigation is ongoing. I bet it is. And, I bet, there are unhappy customers around the world. Accenture said that the password database with the 40,000 passwords was two and a half years old and for a now decommissioned system. That is certainly possible, but that is only a teeny, weeny part of the data was was left exposed.
Accenture says that the server logs report that the only unauthorized access was Chris Vickery. If the database was two and a half years old, I hope the logs go back three or four years – but I doubt that they do.
In any case, this is yet another example of a very high priced consulting firm not implementing basic cyber security hygiene – like knowing where your data is stored and how it is protected. Very. Basic, Stuff. Accenture!
Information for this post came from ZDNet.