License article

Corporate tech giant leaves secret data exposed to public internet

Show comments

A world-leading corporate consultancy and technology outsourcer left at least four cloud-based storage servers unsecured and publicly downloadable, exposing secret data, authentication credentials, certificates, decryption keys, customer information, and more data that could have been used to attack both the provider and its thousands of clients.

Fairfax Media can reveal that Accenture – one of the world's largest corporate consulting and management firms that has offices across Australia, and is also behind the national e-health record system – inadvertently allowed files belonging to its clients to be publicly available.

While there is no evidence to suggest that Australia's e-health system was compromised by Accenture's unsecured servers, Fairfax Media has been told that data belonging to ASX-listed Caltex Australia was exposed as part of the huge trove of highly sensitive information left unsecured.

It is understood the Caltex data exposed was "dummy" data provided by Caltex Australia to Accenture more than two years ago when Caltex was trialling an Accenture product that it did not end up using long term.

At a size of 137 gigabytes, one exposed data set contained large information dumps that included credentials, some of which appear to be for Accenture clients. IT company UpGuard, founded by Australians and based in Mountain View California, revealed the breach on Wednesday in a blog post and told Fairfax Media that Caltex Australia data was exposed.

"This cloud leak of Accenture's internal data, including access credentials that could potentially have been used to attack clients, highlights the sad truth of cyber risk in 2017: nobody is safe," UpGuard co-CEO Mike Baukes told Fairfax Media.


"If the biggest corporations on Earth cannot keep critical internal data from being exposed due to internal misconfigurations, this has got to tell you something about how unequipped most enterprises are to effect cyber resilience across their IT operations, and secure not only the data of other major corporations but, inevitably, of the individual customers most victimised by data exposures."

While many of the passwords contained in the exposed data were hashed – or mathematically transformed into an alphanumeric string  – a collection of nearly 40,000 plaintext passwords was found present in one of the database backups. Access keys for Enstratus, a cloud infrastructure management platform, were also found exposed, potentially leaking the data of other tools coordinated by Enstratus. Information about Accenture's ASGARD database, as well as internal Accenture email info, are also contained in a set of the data.

The data also contained several hours of screen-recorded videos showing internal Accenture employees logging into various systems and operating on internal networks. These videos also show emails and passwords within emails, UpGuard said.

Accenture behind Australia's e-health system

Australia's Department of Health and Ageing selected Accenture to design and implement Australia's Personally Controlled Electronic Health Record (PCEHR) system in August 2011. The initiative spans all Australia-based health systems and enables patients to manage care and records.

Fairfax Media does not suggest that Australia's e-health record system has been breached.

Australia's electronic health record system is currently an opt-in system, with the exception of two trial sites, but will switch to an opt-out system in the middle of next year.

Australians will then have to individually remove themselves from it if they don't want a health record that is accessible by many Australian health professionals and available via the online myGov portal.

Asked whether Accenture should be trusted with Australia's e-health record system given the exposure, an Accenture employee who declined to be identified said simply: "No."

In a statement provided to Fairfax Media, Caltex Australia said it contacted Accenture locally. It Is understood that this occurred on Tuesday after a ZDNet technology journalist contacted Caltex Australia about the Accenture exposure.

"[Accenture] have told us they are not aware of any breach or exposure of our data," Caltex Australia spokesperson Elizabeth Rex told Fairfax Media.

Caltex also disputed the extent to which real customer data was made available, saying only "dummy" data was exposed.

"Mr Vickery's speculation is incorrect. We do not store and have never stored customer data or any confidential information with Accenture," Ms Rex said. 

But UpGuard told Fairfax Media Caltex data was exposed and provided screenshots to prove it:

"The [exposed] servers' contents appear to be the software for the corporation's enterprise cloud offering, Accenture Cloud Platform," said Chris Vickery, Director of Cyber Risk Research at IT UpGuard.,

ACP is a multi-cloud management platform used by Accenture's customers, which include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500.

" [This raises] the possibility that, if valid, exposed Accenture data could have been used for critical secondary attacks against these clients," Mr Vickery said.

Theoretically, he said, if a malicious actor new where to look, Caltex Australia's data could have been easily pilfered.

"The category of services they are paying for provides a good guess that Caltex stores a good amount of data with Accenture. Our Cyber Risk Research team did not utilise the keys included in this exposure so we can't verify the exact data that was being stored with Accenture," Mr Vickery said.

"This database indicates that Accenture hosts SQL Database Backups and Virtual Machines for Caltex. That strongly suggests that if someone were indeed able to gain access to Accenture's infrastructure, access to that storage space could then be gained."

However, Fairfax has been told that the data was so-called "dummy" data provided to Accenture by Caltex to trial Accenture's ACP about two years ago.

When ZDNet first reached out to Accenture, ZDNet said the company downplayed the exposure, saying the data was less than half a per cent of its cloud service, and that "none of our client's information was involved and there was no risk to any of our clients".

When that assertion was challenged based on information provided by UpGuard, an Accenture spokesperson later said that the exposure was closed and that an investigation was ongoing.

"As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system," the spokesperson told ZDNet.

Questions are now likely to be asked of Accenture by Australia's federal Health Minister, Greg Hunt, about the extent of the exposure and whether the government was affected.