Cybersecurity has fast risen to the top of the business agenda since the WannaCry attack of 2017. In the wake of many more high profile attacks, consulting firms have increasingly been asked for assistance in shoring up their clients’ defences. However, the very advisory firms expected to deliver these solutions have themselves been the subject of high profile breaches.
In 2017, Accenture was fortunate to avoid being added to the list of victims, when it emerged that the company’s data hosted on Amazon’s S3 cloud data-base was left unsecured. A security researcher discovered four AWS S3 storage buckets configured for public access, leaking internal emails, passwords, client data, and sensitive documents. If accessed, the data could have let attackers harm the firm and its clients without needing to explore security flaws to get into Accenture’s cyber-infrastructure.
While Accenture avoided a major breach on that occasion, three years later it seems lessons have not been learnt. It has been revealed that thousands of UK business professionals have also had their personal details exposed online via a leaky Amazon Web Services bucket. Researchers discovered files belonging to multiple consulting firms, which are thought to have been left publicly viewable with no authentication by a London-based company known as CHS Consulting.
According to vpnMentor, the firm apparently behind the misconfigured S3 resource has no website, so it cannot be definitively confirmed whether it actually has ownership of the database – labelled “CHS.” What the researchers were able to uncover is that the bucket contained files from the HR departments – including passport scans, tax documents, criminal record information and background checks – of multiple UK consulting firms including Eximius Consultants, Dynamic Partners and IQ Consulting, with the data stretching back as far as 2011.
According to vpnMentor, if criminal hackers had found the database first, it would have been “a goldmine for illicit activities and fraud, with potentially devastating results for those exposed.” The security site added that UK-based consultants concerned about this breach should contact CERT-UK, the UK’s national computer emergency response team, to find out how to keep their data safe and ensure it has not been leaked.