The Accenture Leak
A few days ago, Accenture, the IT consulting giant, confirmed it had exposed sensitive information to the public internet. The finder, Upguard, reported the leak privately to Accenture in mid-September 2017, who fixed it within 24 hours. The breach impacted the Accenture Cloud Platform, hosted on Amazon S3 servers. Exposed details read like a who’s-who of sensitive information- private digital signature keys, plaintext passwords, certificates, internal emails, and confidential customer data. Reports indicate that four AWS servers suffered from this leakage. The leaked data included credentials for Azure and Google accounts, which implies the full scope of this and other breaches could be much worse than initially thought.
Why This Matters
The kind of data leaked means that attackers have a pre-made list of passwords that could be used to access sensitive data. A more determined attacker can use the leaked private keys and certificates to impersonate an Accenture system or employee. They could then access all manner of sensitive internal data. Even worse, if a potential or current customer reaches out to the spoofed system, the attacker could compromise their data as well. The possibilities are endless.
As reported by Dan O’Sullivan, “Taken together, the significance of these exposed buckets is hard to overstate. In the hands of competent threat actors, these cloud servers, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage.” No one, especially one of the Fortune Global 100 companies that employ Accenture, wants to work with someone so lax on security. When a company one trusts as a cybersecurity professional suffers from a breach so avoidable, it makes one wonder what else is wrong. What other data could have been leaked? Employee PII? Customer payment details? It will be interesting to see how Accenture’s perception as an IT security leader changes in the coming months.
What You Can Do
- Use secure passwords – Step number one: always encrypt secure data with a password. The password needs to be unique, random, and include special symbols and spaces for maximum security. Has the password with a salt so common password attacks can’t work, or work much slower than normal. Store the password hash on a server not exposed to the public. Change it regularly, ideally every 90 days. If your company doesn’t have a password policy, make one immediately.
- Don’t put sensitive data on the public cloud – Don’t put sensitive data like credentials, keys, and certificates on a public-facing cloud if possible. If you have to, lock that server down as much as possible. Disable all unnecessary server processes and applications. Give access to only those people who need access regularly to complete their job duties. Make sure those people use unique credentials and change them often. Conduct vulnerability assessments and penetration tests regularly. Try to get “fresh eyes” on the system by getting third party providers to help. Fix anything they find immediately.
Need some help with locking your cloud resources down? Not a problem; we’d love to help. Click here to contact us directly to see how we can work together. Don’t let what happened to Accenture happen to you.
– Upguard’s initial disclosure report
– Information Security Magazine’s coverage
Secure Compliance Solutions LLC (SCS) provides a wide range of CISO advisory consulting and Managed Security Services that help our clients build and strengthen their strategic Information Security and Data Privacy programs. SCS believes that a comprehensive implementation of industry-tested frameworks and standards not only helps organizations meet their compliance goals, but significantly strengthens overall security posture. We raise awareness of current security trends and risks to prepare personnel to recognize potential security issues. Our Managed Security Service is designed so clients can offload the responsibility of “constant watch” against both internal and external cyber threats and attacks. SCS helps our customers wade through complex and evolving cybersecurity regulations, and defends their business interests against increasingly sophisticated cyber threats. At SCS, we champion a strategy of readiness and resilience that facilitates business risk mitigation and enables dynamic response capabilities.