Accenture is one of the latest companies that UpGuard Director of Cyber Risk Research Chris Vickery has discovered storing data insecurely on cloud-based servers from Amazon Web Services.
Accenture is one of the latest companies that UpGuard Director of Cyber Risk Research Chris Vickery has discovered storing data insecurely on cloud-based servers from Amazon Web Services.

Yet another company has mistakenly exposed its sensitive internal information after storing data on misconfigured cloud-based servers from Amazon Web Services. The culprit in this case – the $32.9 billion consulting and professional services company Accenture – was found to be insecurely storing data that, ironically, has to do with its own cloud-based enterprise solution, the Accenture Cloud Platform.

Chris Vickery, director of cyber risk research at cyber firm UpGuard, discovered the problem last September, after determining that Accenture was using four publicly downloadable AWS S3 storage buckets to store sensitive information such as API data, authentication credentials, certificates, decryption keys, configurations, and customer information – all pertaining to the consulting firm's multi-cloud management platform, including its customers and inner workings.

According to an Oct. 11 UpGuard blog post, attackers could have leveraged any of this information – accessible via a simple URL address – to attack any of Accenture's clients, which include 94 companies on the Fortune Global 100 list. For instance, post author Dan O'Sullivan noted that malicious actors could have used exposed credentials to impersonate Accenture, conduct reconnaissance on the corporate network, and launch password reuse attacks.

"In a worst-case scenario, it is not unforeseeable that complete enterprise-level swaths of data could have been at risk for many clients," said Vickery in an email interview with SC Media.

However, a spokesperson from Accenture claimed to ZDNet that UpGuard was the only outside entity to access the servers, which were reconfigured as private the day after Vickery reported his findings to the Dublin, Ireland-based company. Accenture has also attested that the credentials found on the servers were old and inactive.

An Accenture spokesperson further elaborated in a statement provided to SC Media: “None of our clients' confidential information was involved and there was no risk to any of our clients," the statements reads. "No active credentials were compromised. We have a multi-layered security model, and the data in question would not have allowed anyone that found it to penetrate any of those layers. The information involved could not have provided access to client systems and was not production data or applications.”

UpGuard's analysis of the cloud-based storage revealed four subdomains: "acp-deployment," "acpcollector," "acp-software" and "acp-ssl" – all of which were maintained by an account named “awsacp0175.”

The “acp-deployment” bucket apparently contained internal access keys, credentials, and configuration files linked to an API used for authentication purposes. Also included in this bucket was a plaintext document with the master access key for Accenture's AWS Key Management Service account. Additionally, there were encrypted “client.jks” files, the nature of which is unknown, along with a plaintext password needed to decrypt these files, as well as private signing keys.

UpGuard further reported that the “acpcollector” bucket appeared to “contain data necessary for visibility into and maintenance of Accenture's cloud stores,” including “VPN keys used in production for Accenture's private network,” as well as internal logs.

Meanwhile, the “acp-software” bucket included hashed credentials and 40,000 plaintext passwords, access keys for a cloud infrastructure management platform, information about Accenture's ASGARD database, data dumps from an event tracker solution, and apparent credentials for Google and Azure accounts.

Finally, the “acp-ssl” was found to contain keys for gaining access to various Accenture environments, as well as certificates.

UpGuard and Vickery have a history of finding organizations' exposed AWS S3 servers, and have recently disclosed similar incidents involving ViacomDow Jones, the Department of DefenseVerizon, voting machine firm Election Systems & Software, and Deep Root Analytics, a data analytics firm contracted by the Republican party.

"There have been so many similar incidents, it feels less and less like individual companies are suffering long term, and more and more like entire industries are facing the loss of public confidence in their security posturing," Vickery told SC Media. "That's not to say that individual companies are facing fewer consequences, but that the concerns regarding entire facets of our economy are dwarfing the concerns about individual outfits, which are nevertheless increasing."