Accenture The Latest To Leave Sensitive Customer Data Sitting Unprotected In The Amazon Cloud
from the please-stop-doing-that dept
What is it exactly that makes not storing sensitive customer data unprotected on an Amazon server so difficult for some people to understand?
Verizon recently made headlines after one of its customer service vendors left the personal data of around 6 million consumers just sitting on an Amazon server without adequate password protection. A GOP data analytics firm was also recently soundly ridiculed after it left the personal data of around 198 million adults (read: almost everybody) similarly just sitting on an Amazon server without protection. Time Warner Cable (4 million impacted users) and an auto-tracking firm named SVR Tracking (540,000 users) also did the same thing.
Now Accenture (who you would think would have the expertise to know better) has decided to join the fun. Reports this week indicate that the company left hundreds of gigabytes of sensitive customer information...you guessed it...sitting open to anyone on the internet in an unsecured Amazon server. That includes 40,000 passwords sitting in one backup database that were stored in plaintext:
"Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers. The servers, hosted on Amazon's S3 storage service, contained hundreds of gigabytes of data for the company's enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.
As is usually the case, the scope and damage of these kinds of screw ups are generally under-reported, as the exponential impact of the exposed data becomes clear. For example in this case, much of the data included passwords and encryption keys that will likely prove helpful in hacking not only Accenture, but other companies' systems:
"One of the other servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture's access to Google's Cloud Platform and Microsoft's Azure, which could give an attacker further access to the company's cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture's internal corporate network."
When news outlets originally reached out to Accenture, the company insisted that "none of our client's information was involved and there was no risk to any of our clients," insisting that the company's "multi-layered security model" worked as intended. Security researchers have subsequently proven that simply wasn't the case, resulting in Accenture issuing an updated statement saying they're investigating the issue more deeply.
All told, it's unclear how many times this exact same story needs to play out before companies stop leaving data sitting unprotected in an Amazon bucket, but it's abundantly clear we have at least a few more trips around this merry-go-round of dysfunction before the lesson sinks in.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: amazon cloud, data, security
Companies: accenture
Reader Comments
Subscribe: RSS
View by: Time | Thread
In college had a mentor at Accenture
[ link to this | view in chronology ]
Time for Amazon to teach CS basics
Seriously I have no idea how this constant stream of crap-decisions is happening. As to my subject, it might well be time for Amazon to issue certifications to those using the servers. And a special checkbox that asks if there is any passwords or whatever, which could also suggest not doing that or securing the server.
[ link to this | view in chronology ]
Re: Time for Amazon to teach CS basics
[ link to this | view in chronology ]
Re: Re: Time for Amazon to teach CS basics
We are well past eye-rolling stages.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
It's better this way for them because then it isn't one of probably hundreds of new insurance rules for accountability. Digital records are as good as "shredded" out of existence, so it's excellent for anything "shady" to just conveniently disappear, or later reappear somewhere more convenient for... someone. We don't know who, but whoever can access it for whatever appropriate reasoning they had.
This is a good way of keeping everyone happy. Governments, criminals, corporations, medical professionals, low-level police IT grunts.
*Everybody's* happier this way. (HUGE /s on all that)
[ link to this | view in chronology ]
First off, Amazon's S3 was not originally intended for secure storage of sensitive data, it was designed for easy-access storage for web servers. By definition, this was to be publicly-accessible, so high-security made no sense. This still reflects in the UI design. Security requires extra steps, and if you are not reasonably familiar with Amazon, you get to the point where you turn off all security, just to make it work.
Second, these types of problems tend to be what is currently being called "Shadow IT." This is when some dim bulb in Marketing, (or some other division, I just particularly hate Marketing departments,) has some brilliant analytics idea. Unfortunately, IT is backlogged six months on such requests, and then there is that pesky security review they absolutely INSIST on doing. So they break out their spending authority and hire their good buddy pal's 'Whiz-bang Marketing Consultants, LLP' to run their analysis. "No problem." says they, we'll just spin up some Amazon and have that for you in a week. And they do, and then they shut down the Amazon servers, and forget the storage.
The other one I tend to see is what I like to call the Pastebin problem. Someone in IT needs to store something, "just real quick", but the SAN is full, or allocation will take too long, etc. So they spin up some Amazon or dump it in Pastebin, (without security, because it's just for a minute,) and whoops, that's my phone ringing with a new crisis, I get back to this...what was I doing?
Security can be easy to setup, easy to use, or hard to breach. Pick two.
[ link to this | view in chronology ]
Is anyone paying attention?
I work in IT. I can't take a breath in my company, without having a security expert check my breath for telltale fumes. What did these other companies do, hire The Three Stooges?
[ link to this | view in chronology ]
I hope they failed to connect, otherwise there could be some assault charges being laid!
What's wrong with "originally tried to contact Accenture"
[ link to this | view in chronology ]