What is it exactly that makes not storing sensitive customer data unprotected on an Amazon server so difficult for some people to understand?
Verizon recently made headlines after one of its customer service vendors left the personal data of around 6 million consumers just sitting on an Amazon server without adequate password protection. A GOP data analytics firm was also recently soundly ridiculed after it left the personal data of around 198 million adults (read: almost everybody) similarly just sitting on an Amazon server without protection. Time Warner Cable (4 million impacted users) and an auto-tracking firm named SVR Tracking (540,000 users) also did the same thing.
Now Accenture (who you would think would have the expertise to know better) has decided to join the fun. Reports this week indicate that the company left hundreds of gigabytes of sensitive customer information...you guessed it...sitting open to anyone on the internet in an unsecured Amazon server. That includes 40,000 passwords sitting in one backup database that were stored in plaintext:
"Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers. The servers, hosted on Amazon's S3 storage service, contained hundreds of gigabytes of data for the company's enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.
As is usually the case, the scope and damage of these kinds of screw ups are generally under-reported, as the exponential impact of the exposed data becomes clear. For example in this case, much of the data included passwords and encryption keys that will likely prove helpful in hacking not only Accenture, but other companies' systems:
"One of the other servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture's access to Google's Cloud Platform and Microsoft's Azure, which could give an attacker further access to the company's cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture's internal corporate network."
When news outlets originally reached out to Accenture, the company insisted that "none of our client's information was involved and there was no risk to any of our clients," insisting that the company's "multi-layered security model" worked as intended. Security researchers have subsequently proven that simply wasn't the case, resulting in Accenture issuing an updated statement saying they're investigating the issue more deeply.
All told, it's unclear how many times this exact same story needs to play out before companies stop leaving data sitting unprotected in an Amazon bucket, but it's abundantly clear we have at least a few more trips around this merry-go-round of dysfunction before the lesson sinks in.