UpGuard, an Australian IT company that does cyber threat risk assessment for large businesses, revealed that Accenture, a global management consulting firm, exposed sensitive data of its clients via four publicly accessible servers. The Accenture Cloud Platform includes clients from 94 Fortune 100 companies and three-quarters of Fortune 500 companies.
The unsecured servers exposed information such as secret API data, authentication credentials, certificates, decryption keys, customer information, and other data that could have been used to attack Accenture’s clients.
Discovering The Exposed Servers
On September 17, UpGuard Director of Cyber Risk Research Chris Vickery discovered four Amazon Web Services (AWS) S3 storage buckets that were configured for public access, which means anyone could have downloaded the data on them as long as they had the buckets’ addresses. If this is starting to sound familiar, it’s because one of Verizon’s partners recently exposed the data of 14 million Verizon Wireless customers in the same way.
According to UpGuard, Accenture’s cloud platform credentials and configurations could be found on these public servers, which could have given an attacker access to other more private Accenture servers.
All four AWS S3 buckets were managed by an account called “awsacp0175.” One of the buckets called “acp-deployment” seemed to have been primarily used for the storage of internal access keys and credentials for use by the Identity API, which is used to authenticate credentials.
A folder in the same bucket, called “Secure Store,” contained not just configurations files for the Identity API, but also a plaintext document with the master access key for Accenture’s account to the AWS Key Management Service. This would have given an attacker access to an unknown number of credentials.
The bucket “acpcollector” seemed to contain VPN keys used for Accenture’s private network, which may have exposed a view of Accenture’s cloud ecosystem. The same bucket contained logs of events occurring in each cloud instance, which could have enabled malicious actors to gain insights into Accenture’s operations.
Another bucket called “acp-software” contained over 40,000 plain-text passwords in one of the database backups. Only some of the passwords were hashed, which means Accenture doesn’t seem to comply with that security best practice. Access keys to Enstratus, a cloud infrastructure management platform, as well as Accenture’s Google and Azure account credentials were also exposed in this bucket.
The final “acp-ssl” bucket contained more private keys and certificates that could have been used to decrypt the traffic between Accenture and its clients.
The four exposed servers could have given attackers the ability to hack into and steal information from thousands of Accenture’s corporate clients, creating unimaginable damage. This is also why it’s so strange that a company such as Accenture would make such a rookie mistake of exposing so much sensitive information, such as private keys, credentials, and plain-text passwords, on public AWS S3 servers. The AWS S3 servers aren’t typically public by default, which means someone must have made these highly-sensitive servers public and accessible via a simple web link.
The good news is that it only took Accenture a day to fix the problem after being notified by UpGuard on September 18. However, we don’t know for how long these servers were publicly accessible. It could have been days, weeks, or months.
Accenture may reveal more information in the future as it concludes its internal investigation to appease its corporate clients whose confidence in Accenture's ability to keep their private data safe may have been shaken by the UpGuard revelations.