Ernst & Young’s 4TB SQL Server Backup Exposed Publicly on Microsoft Azure
In a significant cybersecurity lapse, Ernst & Young (EY), one of the world’s leading accounting firms, inadvertently left a massive 4-terabyte SQL Server backup file publicly accessible on Microsoft Azure. This exposure was identified by Neo Security, a cybersecurity firm, during a routine asset mapping exercise, underscoring the persistent risks even well-resourced organizations face in safeguarding sensitive data.
Discovery and Verification Process
Neo Security’s lead researcher, while analyzing passive network traffic with basic tools, stumbled upon the exposed file. A simple HEAD request, designed to retrieve metadata without downloading the entire content, revealed the file’s staggering size—4 terabytes, equivalent to millions of documents or an entire library’s worth of information.
The file’s naming convention indicated it was a SQL Server backup (.BAK format), typically containing comprehensive database dumps. Such backups often include database schemas, user data, and embedded secrets like API keys, credentials, and authentication tokens, making them highly sensitive.
Initial searches on Azure Blob Storage did not immediately reveal the file’s ownership. However, further investigation uncovered merger documents in a European language, pointing to a 2020 acquisition. A pivotal DNS SOA record lookup linked the domain to ey.com, confirming EY’s involvement. To avoid legal complications, Neo Security downloaded only the first 1,000 bytes of the file, which revealed an unmistakable magic bytes signature for an unencrypted SQL Server backup.
Potential Risks and Real-World Implications
The exposure of such a substantial backup file is not merely a theoretical risk. Neo Security drew parallels to a previous incident involving a fintech company, where a similar .BAK file was exposed for just five minutes. In that brief window, attackers exfiltrated personally identifiable information and credentials, leading to a ransomware attack and the company’s eventual collapse.
In today’s digital landscape, botnets can scan the entire IPv4 address space within minutes, making any such exposure a potential target for malicious actors. Recognizing the severity, Neo Security ceased further probing and initiated a responsible disclosure process. After 15 attempts, they successfully connected with EY’s Computer Security Incident Response Team (CSIRT) via LinkedIn.
EY’s Response and Broader Implications
EY responded promptly and professionally, triaging and remediating the issue within a week. Their mature handling of the situation stands out in an industry where denial or delays are often the norm. However, this incident highlights systemic vulnerabilities associated with cloud storage.
Microsoft Azure’s user-friendly features, such as database exports, can inadvertently lead to Access Control List (ACL) errors. A single misconfiguration can change private storage to public, exposing sensitive data. For a firm like EY, which audits billion-dollar deals and manages market-sensitive financial data, such lapses raise critical questions about oversight in rapidly evolving infrastructures.
Experts caution that with automated adversarial scanning, the question isn’t if exposures will occur, but how many actors will notice them. As cloud environments become more complex, continuous mapping and visibility tools are essential. Organizations must proactively identify and address their vulnerabilities to stay ahead of potential threats.
Conclusion
The EY data exposure serves as a stark reminder of the challenges organizations face in securing cloud-based assets. While EY’s swift response mitigated potential damages, the incident underscores the need for rigorous oversight, regular audits, and robust security protocols to prevent similar occurrences in the future.
