Breach cyber

Ernst & Young (EY)

Nov 5, 2025 2 min read
Ernst & Young (EY)

Ernst & Young (EY), a global accounting and consulting firm, inadvertently exposed a **4-terabyte (TB) SQL Server database backup** on the public internet. The unsecured **.BAK file**, discovered by a Neo Security researcher, contained highly sensitive internal data, including **database schemas, stored procedures, API keys, session tokens, user credentials, and service account passwords**—effectively a 'master blueprint' to EY’s digital infrastructure. While EY confirmed the exposure and claimed **no client, personal, or confidential data was compromised**, the incident stemmed from an acquired entity under **EY Italy**, disconnected from its global systems. The file remained accessible for an **estimated week** before remediation, raising concerns about potential access by malicious actors. EY’s response was praised for professionalism, though the delayed fix highlighted operational vulnerabilities. The exposure risked **unauthorized access to critical systems**, credential theft, and potential lateral movement within EY’s network, though the firm asserted no evidence of exploitation.

Source: https://www.storyboard18.com/brand-marketing/ernst-young-accidentally-leaks-4tb-of-internal-data-in-massive-online-exposure-83525.htm

TPRM report: https://www.rankiteo.com/company/ernstandyoung

"id": "ern0755607110525",
"linkid": "ernstandyoung",
"type": "Breach",
"date": "11/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"
{'affected_entities': [{'customers_affected': "none (per EY's statement)",
                        'industry': ['professional services',
                                     'financial services'],
                        'location': 'global (incident localized to EY Italy)',
                        'name': 'Ernst & Young (EY)',
                        'size': "large (one of the 'Big Four' accounting "
                                'firms)',
                        'type': ['accounting firm', 'consulting firm']}],
 'attack_vector': 'publicly accessible unprotected database backup (.BAK file)',
 'customer_advisories': 'EY issued a public statement downplaying impact',
 'data_breach': {'data_encryption': 'no (file was unprotected)',
                 'data_exfiltration': 'unknown (assumed possible due to public '
                                      'exposure)',
                 'file_types_exposed': ['.BAK (SQL Server backup)'],
                 'personally_identifiable_information': "no (per EY's "
                                                        'statement)',
                 'sensitivity_of_data': 'high (internal credentials, tokens, '
                                        'and technical blueprints)',
                 'type_of_data_compromised': ['internal database schema',
                                              'stored procedures',
                                              'API keys',
                                              'session tokens',
                                              'user credentials',
                                              'service account passwords']},
 'description': 'Ernst & Young (EY), one of the world’s largest accounting and '
                'consulting firms, reportedly left a 4-terabyte (TB) database '
                'backup exposed on the public internet, potentially revealing '
                'vast amounts of sensitive company information. The '
                'unprotected .BAK file, believed to be a full SQL Server '
                'database backup, was discovered by a security researcher at '
                'Neo Security. The file contained critical internal data, '
                'including schema, stored procedures, API keys, session '
                'tokens, user credentials, and service account passwords. EY '
                'was alerted and responded swiftly, though remediation took '
                'about a week. EY confirmed the incident but stated no client '
                'information, personal data, or confidential EY data was '
                'impacted, localizing the issue to an acquired entity in '
                'Italy.',
 'impact': {'brand_reputation_impact': 'potential reputational harm due to '
                                       'exposure of sensitive internal data',
            'data_compromised': ['internal database schema',
                                 'stored procedures',
                                 'API keys',
                                 'session tokens',
                                 'user credentials',
                                 'service account passwords'],
            'identity_theft_risk': 'high (due to exposed credentials and '
                                   'tokens)',
            'systems_affected': ['SQL Server database backup (.BAK file)']},
 'investigation_status': "resolved (per EY's statement)",
 'post_incident_analysis': {'corrective_actions': ['secured the exposed file',
                                                   'remediated within ~1 week'],
                            'root_causes': ['misconfigured public exposure of '
                                            'sensitive backup file']},
 'references': [{'source': 'TechRadar Pro'}],
 'response': {'communication_strategy': ['swift acknowledgment',
                                         'professional response to researcher',
                                         'public statement downplaying impact'],
              'containment_measures': ['securing the exposed backup file'],
              'incident_response_plan_activated': "yes (described as 'textbook "
                                                  "perfect' by the researcher)",
              'remediation_measures': ['remediated within ~1 week'],
              'third_party_assistance': ['Neo Security (reporting party)']},
 'title': 'Ernst & Young (EY) Exposes 4TB Database Backup on Public Internet',
 'type': ['data exposure', 'misconfiguration'],
 'vulnerability_exploited': 'misconfigured public-facing storage/exposure of '
                            'sensitive backup file'}
Published by
Jeremy C
Jeremy C
You might also like
Breach cyber

Gainsight

public 2 min read
Gainsight experienced a security breach involving its Salesforce-connected app, where suspicious activity was detected. While the company’s CEO, Chuck…
Jeremy C Jeremy C
Breach cyber

Gainsight

public 2 min read
Gainsight, a customer success platform, suffered a breach linked to its Salesforce-connected app, initially flagged by Salesforce due to unusual…
Jeremy C Jeremy C
Breach cyber

Gainsight

public 2 min read
Gainsight, a customer success management software firm, experienced a breach in its systems that compromised Salesforce customer tokens. The incident…
Jeremy C Jeremy C
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.