System Integrator Accenture, is the newest name responsible for a critical security exposure after it was found leaving sensitive customer information unsecured in AWS S3 storage buckets. These S3s were utilized by Accenture’s cloud offering, “Accenture Cloud Platform,” which offers customers public and hybrid cloud services such as SAP and Oracle on AWS, Azure and other public cloud solutions. According to Accenture, 94 of the Fortune100 customers are on the platform.
Upgaurd, the highly noted security firm that discovered the misconfiguration, says all of these customers could be at risk. The S3s contained more than 40,000 plain text passwords. Some of these passwords were for Accenture clients, and others were Accenture credentials for additional AWS and Azure services they were using. This means that access to the unprotected data left not just the underlining data exposed but also provided access to other services that were supposedly protected. As upgaurd puts it perfectly, the implications are “hard to overstate“
Similar events occured throughout the past summer. These misconfigurations are human errors where the S3 authentication was left open to any AWS account. While AWS S3s are by default set to private, users are usually sharing information with others. This is where a simple misconfiguration such as this one can happen. Most hacks and exposures are caused by human errors, and it leaves you wondering if such public services are compatible for critical and sensitive data and applications. At Pure, we make it our business to include built-in software and hardware security features that fits your enterprise data. For more in-depth discussion in regards to these features and specs, please see my colleague Nick Psaki’s blog here.