- EY exposed 4TB SQL backup containing sensitive credentials and application secrets online
- Neo Security warned EY; Researchers suspect that threat actors may have already accessed the data.
- EY responded professionally but took a week to fully resolve the issue.
Ernst & Young (EY), one of the world’s largest accounting firms, kept a complete backup of the database on the public Internet, available to anyone who knew where to look. The backup, a .BAK file, was 4 TB in size and contained sensitive information such as schemas, data, stored procedures, and “all the secrets stored in those tables.”
This is according to a security researcher at Neo Security, who was performing “low-level tooling work” when a SQL Server BAK file caught his attention.
The researcher didn’t download the entire database (because that would be a felony), but claims that these files typically contain “API keys, session tokens, user credentials, cached authentication tokens, service account passwords. Whatever the application is stored in the database. Not just one secret… all the secrets.”
“Textbook perfect” answer
Researchers explained that the ramifications could have been enormous. A single BAK file, exposed for just a few minutes, was enough for a company to be compromised and infected with ransomware.
“Finding a 4TB SQL backup exposed to the public Internet is like finding the master plan and physical keys to a vault, just sitting there. With a note that says ‘free to a good home,'” they warned.
As soon as their suspicions were confirmed, the researchers contacted EY to warn them about the findings. They did not know how long the database remained open and said that each responsible researcher should assume that by that time, multiple threat actors had already stolen it.
Still, they praised EY for its response and said the company’s IT team was “textbook perfect.”
“Professional recognition. No defensiveness, no legal threats. Just, ‘Thank you.’ We’re on it.”
Still, it took EY a full week to fully triage and remediate the issue—a long time for an issue where every second matters.
“Several months ago, EY became aware of a potential data exposure and immediately fixed the issue,” EY told TechRadar Pro in a statement.
“No client information, personal data or EY confidential data has been affected. The issue was localized to an entity acquired by EY Italia and was not connected to EY’s global cloud and technology systems.”
Through The Registry
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
