UpGuard has yet again uncovered a trove of corporate data left unprotected, this time from major consulting and management firm Accenture. The data -- contained on four cloud-based storage servers -- were discovered by UpGuard Director of Cyber Risk Research Chris Vickery in mid-September and weren't protected by a password. Anyone with the servers' web addresses could download the stored information, which included decryption keys, passwords and customer info. And Accenture's client list includes a number of large companies. On its website, Accenture says its clients "span the full range of industries around the world and include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500."
UpGuard says that the information stored on the unprotected servers could have been used to attack Accenture itself as well as a number of its clients and Vickery told ZDNet that the data amounted to the "keys to the kingdom." In a blog post about the exposure, UpGuard said, "Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage."
This data exposure is just the latest to be sniffed out by cybersecurity firm UpGuard. Other recent discoveries by the company include Election Systems & Software's exposure of 1.8 million Chicago residents' personal information, Deep Root Analytics' leak of nearly 200 million US citizens' data, the release of 14 million Verizon customers' info by Nice Systems and exposure of classified intelligence data by a US defense contractor. In light of these repeated mishandlings of sensitive data, it's becoming increasing clear that major companies need to take a serious look at their cybersecurity practices.
UpGuard quickly notified Accenture after discovering the exposed data and the company secured the servers soon thereafter. Accenture also said that UpGuard was the only non-authorized visitor to access the servers. Accenture told ZDNet, "We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system."