A Dutch cybersecurity firm, Neo Security, discovered a **4TB+ unencrypted SQL Server backup file** belonging to EY exposed publicly on the internet due to a **misconfigured cloud bucket**. The leaked data included **API keys, cached authentication tokens, session tokens, service account passwords, and user credentials**—essentially a full blueprint for accessing EY’s internal systems. The exposure was caused by a trivial error, likely a misconfigured bucket setting, which made the sensitive backup accessible to anyone. While the exact duration of exposure is unclear, such incidents typically assume compromise from the moment of discovery.The breach mirrors a past case Neo Security investigated, where a **lazy database migration** (temporarily setting a bucket to public) led to a **ransomware attack and the eventual collapse of the affected company** after data theft. EY responded professionally upon notification, remediating the issue within a week. However, the exposed credentials and trade secrets pose severe risks, including **potential follow-on attacks, financial fraud, or espionage** by threat actors who may have already downloaded the data.
Source: https://www.theregister.com/2025/10/29/ey_exposes_4tb_sql_database/
TPRM report: https://www.rankiteo.com/company/ernstandyoung
"id": "ern2092220102925",
"linkid": "ernstandyoung",
"type": "Breach",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['accounting',
'consulting',
'financial services'],
'location': 'global (headquartered in London, UK)',
'name': 'Ernst & Young (EY)',
'size': "large (one of the 'Big Four' accounting "
'firms)',
'type': 'multinational professional services firm'}],
'attack_vector': 'cloud bucket misconfiguration (publicly accessible storage)',
'data_breach': {'data_encryption': 'no (unencrypted BAK file)',
'data_exfiltration': 'likely (researcher downloaded first '
'1000 bytes; attackers may have '
'downloaded full file)',
'file_types_exposed': ['SQL Server backup (.BAK)'],
'personally_identifiable_information': 'potentially (if user '
'credentials included '
'PII)',
'sensitivity_of_data': 'high (credentials, secrets, and '
'potentially proprietary information)',
'type_of_data_compromised': ['API keys',
'authentication tokens (cached)',
'session tokens',
'service account passwords',
'user credentials',
'potential trade secrets']},
'description': 'A Dutch cybersecurity firm, Neo Security, discovered a 4TB+ '
'SQL Server backup file belonging to EY (Ernst & Young) '
'exposed to the public internet. The unencrypted BAK file '
'contained sensitive data such as API keys, cached '
'authentication tokens, session tokens, service account '
'passwords, and user credentials. The exposure was due to a '
'misconfigured cloud bucket, reminiscent of a past incident '
"where a company collapsed after a similar breach. EY's "
'response was praised as professional and effective, with '
'remediation completed within a week.',
'impact': {'brand_reputation_impact': 'potential reputational damage '
'(high-profile exposure)',
'data_compromised': ['API keys',
'cached authentication tokens',
'session tokens',
'service account passwords',
'user credentials',
'potential trade secrets'],
'identity_theft_risk': 'high (due to exposed credentials)',
'systems_affected': ['SQL Server backup (BAK file)']},
'initial_access_broker': {'entry_point': 'publicly accessible cloud bucket',
'high_value_targets': ['SQL Server backup '
'containing credentials and '
'secrets']},
'investigation_status': 'resolved (remediated within a week)',
'lessons_learned': ['Cloud storage misconfigurations can lead to massive data '
'exposures with minimal effort.',
'Automated scans by attackers can exploit even brief '
'periods of public exposure.',
'Convenience in cloud tools (e.g., one-click exports) '
'does not prioritize security by default.',
'Proactive monitoring and access reviews are critical for '
'cloud storage.'],
'post_incident_analysis': {'corrective_actions': ['Secured the exposed backup '
'file',
'Likely reviewed and '
'hardened cloud storage '
'access controls (inferred '
'from remediation)'],
'root_causes': ['Human error (misconfigured cloud '
'bucket permissions)',
'Lack of safeguards against '
'accidental public exposure',
'Over-reliance on convenience '
'features in cloud tools without '
'security checks']},
'recommendations': ['Implement strict access controls and default-deny '
'policies for cloud storage.',
'Use encryption for sensitive backups, even in '
"'temporary' public states.",
'Enable automated alerts for changes in bucket '
'permissions or public exposure.',
'Conduct regular audits of cloud storage configurations.',
'Train employees on secure data handling during '
'migrations or backups.'],
'references': [{'source': 'The Register'},
{'source': 'Neo Security (Dutch cybersecurity firm)'}],
'response': {'communication_strategy': ['cold messaging on LinkedIn to reach '
'incident responders'],
'containment_measures': ['remediation of cloud bucket access '
'controls'],
'incident_response_plan_activated': 'yes (professional and '
'effective response)',
'remediation_measures': ['securing the exposed backup file'],
'third_party_assistance': 'yes (Neo Security reported the '
'incident)'},
'title': 'EY 4TB+ SQL Server Backup File Exposure',
'type': ['data breach',
'cloud misconfiguration',
'unauthorized data exposure'],
'vulnerability_exploited': 'improper access controls on cloud storage (public '
'bucket setting)'}