A mistake in the cloud has exposed a vast trove of data belonging to one of the world’s largest professional-services firms. According to multiple independent cyber-security researchers, a 4-terabyte SQL Server backup file belonging to Ernst & Young (EY) was publicly accessible on the internet via Microsoft Azure Storage.
While no hack appears to have been involved, the incident underscores how even elite organizations are vulnerable to basic mis-configurations in the era of rapid cloud deployment.
Discovery
The loophole was uncovered by Dutch security outfit Neo Security during routine passive network and cloud-asset scanning. Using low-level tooling, the firm’s lead researcher issued a simple HTTP HEAD request to an Azure-based blob storage location and observed metadata indicating a file size of 4 TB. The file carried a “.BAK” extension, which is typically used for full SQL Server database backups.
Neo…
