Accenture latest firm caught with lax cybersecurity

07 November 2017 4 min. read
More news on

Accenture have become the latest major cybersecurity provider to be left red-faced regarding their own security. While it appears that major damage was averted, Accenture reportedly left a large cache of sensitive information without password protection on their cloud storage.

Cybersecurity has become one of the hot topics for businesses around the world. In the wake of numerous high profile attacks, consulting firms have increasingly been asked for assistance in shoring up their clients’ defences. However, the very advisory firms expected to deliver these solutions have themselves been the subject of high profile breaches in recent months.

Earlier in the year, the globe’s largest cybersecurity consultant, Deloitte, was publicly embarrassed following the revelation that it had been victim of a major cybersecurity breach. According to sources close to the matter, hackers may have accessed usernames, passwords and personal details of the firm’s clients, in an attack that went unnoticed for months. The New-York-headquartered professional services firm brought in around $2.85 billion in revenue via its security consulting operations over the course of the past year – increasing by 14% over that same spell.

Accenture latest firm caught with lax cybersecurity

As of late September this year, however, news emerged that in that very period, the company had itself been the victim of a sustained cyber-attack, which potentially went unnoticed for a full six-month period, resulting in New York State’s Attorney-General taking action to investigate the reported cyber-attack. Earlier in the year, Eric Schneiderman also launched a similar probe of Equifax – following a potential breach of the data of 143 million Americans – starting a process which saw the firm's stock fall by 16% in one day.

Deloitte are not the only firm to have been implicated in a data breach in the Autumn of 2017, however. Now, news has emerged that global professional services group Accenture may also have enabled the outside access of highly sensitive data online. According to reports, a trove of highly sensitive data belonging to the Dublin-based corporate consulting and management firm was left online without any security or login credentials required to access it. Accenture, who also specialise in technology and cloud solutions, inadvertently left the private data spread across four cloud servers, potentially exposing sensitive passwords and private decryption keys. According to recent analysis, Accenture are the sixth largest cybersecurity and security consultancy in the world, bringing in $601 million in revenue related to the sector last year.

Cloud based

As with Deloitte’s event, which took place on Microsoft’s cloud solutions platform Azure, the servers were hosted on a cloud storage facility, in this case Amazon’s S3, when a security researcher discovered four AWS S3 storage buckets configured for public access, leaking internal emails, passwords, client data, and sensitive documents. If accessed, the data could have let attackers harm the firm and its clients without needing to explore security flaws to get into Accenture’s cyberinfrastructure.

“It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The spectre of password reuse attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients,” concluded UpGuard, who exposed the potential breach.

At the time of publishing, the exposed data is thought to have been secured without issue, due to the alert to Accenture. However, as cybersecurity solutions continue to be a major issue for businesses worldwide, clients will likely be unnerved by yet another potentially embarrassing episode for consulting firms often tasked with aiding businesses with the application of technological solutions.

The world’s tenth largest cybersecurity provider, meanwhile, laid off a number of jobs in its cyber intelligence sector. BAE Systems announced in October that it would downsize its UK division by 150 staff – in a move touted as “short sighted” by workplace representatives.