EY, a global accounting firm, inadvertently exposed a 4TB SQL backup (.BAK file) on the public internet, containing highly sensitive data such as schema, stored procedures, API keys, session tokens, user credentials, cached authentication tokens, and service account passwords. The exposure was discovered by Neo Security researchers, who warned that such files typically hold *all secrets* stored in an organization’s database. While EY responded professionally and remediated the issue within a week, the researchers suspected threat actors may have already accessed the data before discovery. EY clarified that no client information, personal data, or confidential EY data was compromised, attributing the incident to an acquired entity under EY Italy, isolated from its global systems. However, the exposure posed severe risks, including potential breach escalation, credential theft, or ransomware infection, given the criticality of the leaked data.
TPRM report: https://www.rankiteo.com/company/ernst-young-consulting-services
"id": "ern0092100103025",
"linkid": "ernst-young-consulting-services",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'none reported',
'industry': 'financial services / professional '
'services',
'location': 'global (incident localized to EY Italy)',
'name': 'Ernst & Young (EY)',
'size': "large (one of the 'Big Four' accounting "
'firms)',
'type': 'professional services firm '
'(accounting/consulting)'}],
'attack_vector': 'publicly accessible misconfigured SQL backup (.BAK file)',
'customer_advisories': 'EY issued a statement to TechRadar Pro confirming no '
'client or personal data was impacted.',
'data_breach': {'data_exfiltration': 'suspected (researchers assume threat '
'actors may have accessed it)',
'file_types_exposed': ['.BAK (SQL backup file)'],
'personally_identifiable_information': 'none reported (per '
"EY's statement)",
'sensitivity_of_data': 'high (credentials, secrets, and '
'internal application data)',
'type_of_data_compromised': ['database schema',
'stored procedures',
'API keys',
'session tokens',
'user credentials',
'cached authentication tokens',
'service account passwords',
'application secrets']},
'description': 'Ernst & Young (EY), one of the world’s biggest accounting '
'firms, inadvertently exposed a 4TB SQL backup (.BAK file) on '
'the public internet. The backup contained sensitive '
'information such as schema, data, stored procedures, API '
'keys, session tokens, user credentials, cached authentication '
'tokens, and service account passwords. Security researchers '
'at Neo Security discovered the exposure and warned EY, '
'suspecting that threat actors may have already accessed the '
'data. EY responded professionally but took a week to fully '
'remediate the issue. The exposed data belonged to an entity '
'acquired by EY Italy and was unrelated to EY’s global cloud '
'and technology systems. No client information, personal data, '
'or confidential EY data was reported as impacted.',
'impact': {'brand_reputation_impact': 'potential reputational harm due to '
'exposure of sensitive credentials',
'data_compromised': ['schema',
'stored procedures',
'API keys',
'session tokens',
'user credentials',
'cached authentication tokens',
'service account passwords',
'application secrets'],
'identity_theft_risk': 'high (due to exposed credentials and '
'secrets)',
'systems_affected': ['SQL database backup (.BAK file)']},
'investigation_status': "resolved (per EY's statement)",
'post_incident_analysis': {'corrective_actions': ['remediation of access '
'controls',
'removal of exposed backup'],
'root_causes': ['misconfigured public access to '
'SQL backup file']},
'references': [{'source': 'TechRadar Pro',
'url': 'https://www.techradar.com/'},
{'source': 'The Register',
'url': 'https://www.theregister.com/'}],
'response': {'communication_strategy': ['professional acknowledgment',
'no defensiveness',
'no legal threats',
'public statement to TechRadar Pro'],
'containment_measures': ['removal of public access to the backup '
'file'],
'incident_response_plan_activated': "yes (described as 'textbook "
"perfect')",
'remediation_measures': ['full triage and remediation completed '
'within one week'],
'third_party_assistance': 'Neo Security (researchers who '
'reported the issue)'},
'title': 'EY Exposed 4TB SQL Backup Containing Sensitive Credentials and '
'Application Secrets',
'type': ['data exposure', 'misconfiguration'],
'vulnerability_exploited': 'improper access controls / misconfigured storage'}