Facepalm

Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.

The servers, hosted on Amazon’s S3 storage service, contained hundreds of gigabytes of data for the company’s enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.

The data could be downloaded without a password by anyone who knew the servers’ web addresses.

Just put it in the hands of the experts they said…..

20 comments on “Facepalm

  1. The first thing I do with any upgrade of my phone or operating system is track down every ‘Cloud’ setting, anywhere, and switch it off.

  2. Remember the rule: IT people are often modestly clever chaps who think themselves mightily clever chaps.

  3. There is only one question where the answer is Accenture:

    How can I spend £1,000 per day per ‘expert’ for clueless ‘wet behind the ears’ graduates who will screw up whatever project I have in mind?

  4. I’ve worked for Accenture for clients and been involved in working with them as a client. They are scum. If there’s a software equivalent of Premiere Properties in Glengarry Glen Ross, it’s those bastards.

    I wouldn’t mind if they were crooked and money grabbing, if they could actually deliver good software.

  5. dearieme,

    “Remember the rule: IT people are often modestly clever chaps who think themselves mightily clever chaps.”

    This isn’t even in the moderately clever end of things. This is simple OWASP Top 10 threats. Stuff that any consultancy building anything bigger than websites for craft breweries should know about. You lock down your servers for everything, except for the narrowest interfaces that you need. You write automated tests running on remote servers that try and download files that shouldn’t be downloadable and check the results and if you can get a file, someone gets a text message.

    I’m not at all surprised, though. Their technical leadership is poor. As Mr Yan says – it’s kids. And they’re mostly managed by sales people and Powerpoint jockeys.

  6. Wot Bloke on M4 said.

    I have had the misfortune of being involved with projects alongside Accenture. They are worse than fucking useless. Not one of the “consultants” they had on site were capable of reading a technical spec.

  7. I’ve also been involved with them.

    The first clue is the name, which approaches the upper end of the Wank scale.

  8. My experiences with Accenture and their forerunner Anderson Consulting were invariably negative. Fools, I guess is a better description, generally technologically inept but martinets as project managers. I once turned down a job opportunity with them citing “Professional pride” to their shocked HR consultant.

    Anyways this sort of story no longer surprises me after I had a security experience in a similar vein.
    I used to have a website for my company in Austria. Nothing special, a few HTML pages just with contact info and some case studies. It was hosted by A*st*i* T*l*kom and was part of the broadband package. As I was leaving Austria, I was just running things down and had mostly disabled the site’s links ready to cancel the contract.
    I regularly used to look at the logs to see who visited, mostly Chinese and Indian search engines that I could detect. One day I noticed a file that didn’t exist on my site being downloaded. I logged onto the file system and saw that indeed a few alien files had appeared in my directory. I deleted them and changed the password. Next day they were back there again. They were .asp files that redirected one to some dodgy Chinese site and someone selling horses in Australia (??!!??). These files were obviously being uploaded by a user who had root access to the Windows server and distributing them amongst the users, because the log files showed no login attempts apart from mine.
    I wrote a little script on my home computer that logged on to the server every few minutes to delete any sprurious files and emailed the provider to complain.
    They replied that I could have a free upgrade to a new server.
    I said that my website was unimportant as I was about to close it, but that they had a serious security breach.
    This toing and froing went on, with my increasingly shrill complaints about their lax security until eventually a more senior techie wrote back.
    These servers were no longer being maintained, customers were being offered migration to new servers and help converting any scripts from Windows to Linux. But only if they enquired.
    In other words, they were allowing customers ( probably including commercial sites ) to stay on these compromised servers that were sitting in some rack, forgotten about and would make no effort to investigate who was wandering around inside them. I shut down the site and cancelled the contract then and there.

  9. My experiences with Accenture and their forerunner Anderson Consulting were invariably negative. Fools, I guess is a better description, generally technologically inept but martinets as project managers.

    Don’t forget the arrogance. You can’t adequately describe Andersen/Accenture without mentioning that.

  10. Accenture, while maliciously incompetent, aren’t actually any worse than any of the others.

    And, let’s be honest, the reserve army of the ‘kids with clipboards’ are generally quite bright and some of them are even open to learning. I do resent, however, having to train the people who are supposed to be providing me with consultancy assistance.

  11. SE

    PA Consulting rank alongside Accenture for uselessness.
    I can think of one PA chap for whom I had any time and that was because he couldn’t give a stuff about becoming a partner but actually wanted to learn about the subject to which he had been assigned

  12. “How can I spend £1,000 per day per ‘expert’ for clueless ‘wet behind the ears’ graduates who will screw up whatever project I have in mind?”

    Is this what IT consultants charge? I thought it would be more.

  13. They were .asp files that redirected one to some dodgy Chinese site and someone selling horses in Australia (??!!??). These files were obviously being uploaded by a user who had root access to the Windows server and distributing them amongst the users, because the log files showed no login attempts apart from mine.

    I had something similar last year, .asp files being uploaded into my site directory. God knows how they got there.

  14. This is bush league. Accenture is a behemoth, though, and paradoxically it’s often harder to find (or explot, certainly) talent the bigger the organisation gets. There’s also the problem that changing a configuration on their S3 instance probably requires several rounds of memo ping-pong whereas a smaller operation would just let their DevOps guy get on with it.

  15. Another thought:

    Technology and cloud giant Accenture has confirmed it inadvertently negligently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.

Leave a Reply

Name and email are required. Your email address will not be published.