Failures

by Karl Bode


Filed Under:
amazon cloud, data, security

Companies:
accenture



Accenture The Latest To Leave Sensitive Customer Data Sitting Unprotected In The Amazon Cloud

from the please-stop-doing-that dept

What is it exactly that makes not storing sensitive customer data unprotected on an Amazon server so difficult for some people to understand?

Verizon recently made headlines after one of its customer service vendors left the personal data of around 6 million consumers just sitting on an Amazon server without adequate password protection. A GOP data analytics firm was also recently soundly ridiculed after it left the personal data of around 198 million adults (read: almost everybody) similarly just sitting on an Amazon server without protection. Time Warner Cable (4 million impacted users) and an auto-tracking firm named SVR Tracking (540,000 users) also did the same thing.

Now Accenture (who you would think would have the expertise to know better) has decided to join the fun. Reports this week indicate that the company left hundreds of gigabytes of sensitive customer information...you guessed it...sitting open to anyone on the internet in an unsecured Amazon server. That includes 40,000 passwords sitting in one backup database that were stored in plaintext:

"Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers. The servers, hosted on Amazon's S3 storage service, contained hundreds of gigabytes of data for the company's enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.

As is usually the case, the scope and damage of these kinds of screw ups are generally under-reported, as the exponential impact of the exposed data becomes clear. For example in this case, much of the data included passwords and encryption keys that will likely prove helpful in hacking not only Accenture, but other companies' systems:

"One of the other servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture's access to Google's Cloud Platform and Microsoft's Azure, which could give an attacker further access to the company's cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture's internal corporate network."

When news outlets originally reached out to Accenture, the company insisted that "none of our client's information was involved and there was no risk to any of our clients," insisting that the company's "multi-layered security model" worked as intended. Security researchers have subsequently proven that simply wasn't the case, resulting in Accenture issuing an updated statement saying they're investigating the issue more deeply.

All told, it's unclear how many times this exact same story needs to play out before companies stop leaving data sitting unprotected in an Amazon bucket, but it's abundantly clear we have at least a few more trips around this merry-go-round of dysfunction before the lesson sinks in.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 12 Oct 2017 @ 2:26pm

    In college had a mentor at Accenture

    This doesn't surprise me one bit. I had an Accenture mentor in college who was barely there. They were practically a pyramid scheme in structure in fast promoting people to management. The company gave a major feel of preferring teaching marketdroids and MBA-types programming so that they would think like upper management. I am not at all surprised that they would fail like that.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Oct 2017 @ 2:28pm

    Time for Amazon to teach CS basics

    Amazon servers are the problem (snark here).

    Seriously I have no idea how this constant stream of crap-decisions is happening. As to my subject, it might well be time for Amazon to issue certifications to those using the servers. And a special checkbox that asks if there is any passwords or whatever, which could also suggest not doing that or securing the server.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Oct 2017 @ 9:43am

      Re: Time for Amazon to teach CS basics

      "CS" meaning what here? Computer science? The "basics" there would be how to structure a database, not how to secure it. This is more about systems administration, system design, and privacy protection, which aren't taught in schools so much. The programmers may have done a good job coding the system to the specification; it's someone else's job to determine e.g. whether they actually need to collect all that information or whether it all needs to be online.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Oct 2017 @ 2:26pm

        Re: Re: Time for Amazon to teach CS basics

        I'm fine with that. With nearly anything more than this continual bumbling about.

        We are well past eye-rolling stages.

        reply to this | link to this | view in chronology ]

  • icon
    ralph_the_bus_driver (profile), 12 Oct 2017 @ 8:51pm

    It's the cloud for crying out loud. What would you expect? If storing confidential information on someone elses server sounds smart, you're not.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Oct 2017 @ 9:17pm

    I'm starting to think that nobody who's influential wants any regulation or accountability of this whatsoever.

    It's better this way for them because then it isn't one of probably hundreds of new insurance rules for accountability. Digital records are as good as "shredded" out of existence, so it's excellent for anything "shady" to just conveniently disappear, or later reappear somewhere more convenient for... someone. We don't know who, but whoever can access it for whatever appropriate reasoning they had.

    This is a good way of keeping everyone happy. Governments, criminals, corporations, medical professionals, low-level police IT grunts.

    *Everybody's* happier this way. (HUGE /s on all that)

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Oct 2017 @ 11:15am

    As an IT and InfoSec professional, while I cannot speak with knowledge of this incident, I'll tell you this is all too easy and all too common.

    First off, Amazon's S3 was not originally intended for secure storage of sensitive data, it was designed for easy-access storage for web servers. By definition, this was to be publicly-accessible, so high-security made no sense. This still reflects in the UI design. Security requires extra steps, and if you are not reasonably familiar with Amazon, you get to the point where you turn off all security, just to make it work.

    Second, these types of problems tend to be what is currently being called "Shadow IT." This is when some dim bulb in Marketing, (or some other division, I just particularly hate Marketing departments,) has some brilliant analytics idea. Unfortunately, IT is backlogged six months on such requests, and then there is that pesky security review they absolutely INSIST on doing. So they break out their spending authority and hire their good buddy pal's 'Whiz-bang Marketing Consultants, LLP' to run their analysis. "No problem." says they, we'll just spin up some Amazon and have that for you in a week. And they do, and then they shut down the Amazon servers, and forget the storage.

    The other one I tend to see is what I like to call the Pastebin problem. Someone in IT needs to store something, "just real quick", but the SAN is full, or allocation will take too long, etc. So they spin up some Amazon or dump it in Pastebin, (without security, because it's just for a minute,) and whoops, that's my phone ringing with a new crisis, I get back to this...what was I doing?

    Security can be easy to setup, easy to use, or hard to breach. Pick two.

    reply to this | link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 14 Oct 2017 @ 2:24pm

    Is anyone paying attention?

    What is the deal this year? You can't turn on the news without hearing about another data breach. Have all these IT companies simply said, "It can't happen to us," and buried their head in the sand, with an anvil on top?

    I work in IT. I can't take a breath in my company, without having a security expert check my breath for telltale fumes. What did these other companies do, hire The Three Stooges?

    reply to this | link to this | view in chronology ]

  • icon
    Eldakka (profile), 15 Oct 2017 @ 6:18pm

    When news outlets originally reached out to Accenture,

    I hope they failed to connect, otherwise there could be some assault charges being laid!

    What's wrong with "originally tried to contact Accenture"

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.