Accenture The Latest To Leave Sensitive Customer Data Sitting Unprotected In The Amazon Cloud

from the please-stop-doing-that dept

What is it exactly that makes not storing sensitive customer data unprotected on an Amazon server so difficult for some people to understand?

Verizon recently made headlines after one of its customer service vendors left the personal data of around 6 million consumers just sitting on an Amazon server without adequate password protection. A GOP data analytics firm was also recently soundly ridiculed after it left the personal data of around 198 million adults (read: almost everybody) similarly just sitting on an Amazon server without protection. Time Warner Cable (4 million impacted users) and an auto-tracking firm named SVR Tracking (540,000 users) also did the same thing.

Now Accenture (who you would think would have the expertise to know better) has decided to join the fun. Reports this week indicate that the company left hundreds of gigabytes of sensitive customer information...you guessed it...sitting open to anyone on the internet in an unsecured Amazon server. That includes 40,000 passwords sitting in one backup database that were stored in plaintext:

"Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers. The servers, hosted on Amazon's S3 storage service, contained hundreds of gigabytes of data for the company's enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.

As is usually the case, the scope and damage of these kinds of screw ups are generally under-reported, as the exponential impact of the exposed data becomes clear. For example in this case, much of the data included passwords and encryption keys that will likely prove helpful in hacking not only Accenture, but other companies' systems:

"One of the other servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture's access to Google's Cloud Platform and Microsoft's Azure, which could give an attacker further access to the company's cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture's internal corporate network."

When news outlets originally reached out to Accenture, the company insisted that "none of our client's information was involved and there was no risk to any of our clients," insisting that the company's "multi-layered security model" worked as intended. Security researchers have subsequently proven that simply wasn't the case, resulting in Accenture issuing an updated statement saying they're investigating the issue more deeply.

All told, it's unclear how many times this exact same story needs to play out before companies stop leaving data sitting unprotected in an Amazon bucket, but it's abundantly clear we have at least a few more trips around this merry-go-round of dysfunction before the lesson sinks in.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: amazon cloud, data, security

Companies: accenture