Menu
Accenture’s crucial data exposed

Accenture’s crucial data exposed

Four misconfigured AWS S3 storage buckets allowed for public downloads

Accenture had four cloud-based storage servers unsecured and publicly downloadable, according to cyber resilience company, UpGuard.

The failure, which UpGuard said exposed secret application processing interface (API) data, authentication credentials, certificates, decryption keys, customer information, and more data, was discovered on 17 September.

UpGuard director of cyber risk research, Chris Vickery, discovered four Amazon Web Services S3 storage buckets configured for public access, downloadable to anyone who entered the buckets’ web addresses into their internet browser. The buckets were titled “acp-deployment,” “acpcollector,” “acp-software,” and “acp-ssl”.

The data that could have been used to attack both Accenture and its clients was safe the day after the corporate consulting and management firm was alerted about the flaw.

All four S3 buckets contain highly sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform.

According to UpGuard’s announcement, one of the buckets, called “acp-deployment” appears to be largely devoted to storing internal access keys and credentials for use by the Identity API, which is apparently used to authenticate credentials.

This specific bucket contained a folder titled “Secure Store”, which had not only configuration files for the Identity API, but also a plaintext document containing the master access key for Accenture’s account with AWS’s Key Management Service.

Still within “acp-deployment” there were several client.jks files stored in some cases alongside what UpGuard believe to be the plaintext password necessary to decrypt the file.

“It is unknown precisely what the keys in clients.jks could be used to access. Private signing keys were also exposed within these files - placing a critical tool in the hands of anyone who encountered them,” UpGuard wrote.

According to UpGuard, the acpcollector bucket contains data into Accenture’s cloud stores and its maintenance. The acp.software bucket is believed to contain large data dumps due to its 137 GB size. The information could include credentials for some Accenture’s clients.

Other key information such as 40,000 plaintext passwords could be found in the bucket.

There were also data dumps from the Zenoss event tracker used by Accenture, revealing such incidents as the adding of new users, recording of IP addresses, and JSession IDs which, if not expired, could be plugged into cookies to gain entry past authentication portals. UpGuard’s examination revealed a number of Accenture clients recorded in this manner.

According to UpGuard “this cloud leak shows that even the most advanced and secure enterprises can expose crucial data and risk serious consequences”.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags CloudbreachaccenturefailureAWSdata exposed

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments