A 4TB SQL Server backup file belonging to Ernst & Young (EY) was discovered publicly exposed on Microsoft Azure by cybersecurity firm Neo Security. The unencrypted .BAK file, identified during routine passive network analysis, likely contained sensitive data such as database schemas, user credentials, API keys, and authentication tokens. Ownership was confirmed via DNS SOA lookup linking to **ey.com**, though initial searches showed no explicit owner. While EY remediated the exposure swiftly and claimed no client or confidential data was compromised, the incident underscored the high risk of automated scanning tools discovering such leaks. The exposure duration and potential access by malicious actors remained unclear, but past incidents demonstrated that even brief cloud exposures could lead to PII and credential theft. The case highlighted critical gaps in cloud visibility and leak detection, emphasizing the need for continuous attack surface monitoring in complex cloud environments.
TPRM report: https://www.rankiteo.com/company/ernstandyoung
"id": "ern3000430110625",
"linkid": "ernstandyoung",
"type": "Breach",
"date": "6/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': "none (per EY's statement)",
'industry': 'professional services (accounting, '
'consulting)',
'location': 'global (headquartered in London, UK)',
'name': 'Ernst & Young (EY)',
'size': 'large (multinational)',
'type': 'global accounting firm'}],
'attack_vector': 'publicly accessible cloud storage (Azure Blob)',
'customer_advisories': ['EY confirmed no client or confidential data was '
'affected.'],
'data_breach': {'data_encryption': 'no (file was unencrypted)',
'data_exfiltration': 'none confirmed (per EY)',
'file_types_exposed': ['.BAK (SQL Server backup)'],
'personally_identifiable_information': 'potential (not '
'confirmed)',
'sensitivity_of_data': 'high (potentially included '
'credentials and PII)',
'type_of_data_compromised': ['SQL Server database backup '
'(.BAK file)',
'potential: schemas, user '
'information, API keys, '
'credentials, authentication '
'tokens']},
'date_detected': '2025-10-31',
'date_publicly_disclosed': '2025-10-31',
'description': 'A massive 4TB SQL Server backup file belonging to global '
'accounting giant Ernst & Young (EY) was discovered publicly '
'accessible on Microsoft Azure during a routine scan by '
'cybersecurity firm Neo Security. The file, identified by its '
'.BAK extension, was unencrypted and likely contained '
'sensitive data such as schemas, user information, API keys, '
'credentials, and authentication tokens. Neo Security '
'responsibly disclosed the exposure to EY, which quickly '
'remediated the issue, confirming no client or confidential '
'data was affected. The incident underscores the risks of '
'automated scanning and the need for continuous cloud '
'visibility and leak detection tools.',
'impact': {'brand_reputation_impact': 'potential reputational risk due to '
'exposure of sensitive backup',
'data_compromised': ['potential schemas',
'user information',
'API keys',
'credentials',
'authentication tokens'],
'identity_theft_risk': 'high (if credentials/PII were exposed)',
'systems_affected': ['Microsoft Azure Blob Storage']},
'investigation_status': "resolved (per EY's statement)",
'lessons_learned': ['Even resource-rich organizations can accidentally expose '
'sensitive data in complex cloud environments.',
'Automated scanning tools make exposures inevitable; '
'continuous monitoring and attack surface management are '
'critical.',
'Responsible disclosure by third-party researchers can '
'mitigate risks before malicious exploitation.'],
'post_incident_analysis': {'corrective_actions': ['secured exposed backup',
'likely internal review of '
'cloud security practices '
'(inferred)'],
'root_causes': ['misconfigured Azure Blob storage '
'permissions',
'lack of continuous monitoring for '
'exposed assets']},
'recommendations': ['Implement continuous cloud visibility and leak detection '
'tools.',
'Enforce strict access controls and encryption for '
'cloud-stored backups.',
'Regularly audit cloud storage permissions to prevent '
'misconfigurations.',
'Establish clear channels for third-party vulnerability '
'disclosures.'],
'references': [{'date_accessed': '2025-10-31',
'source': 'SecurityAffairs',
'url': 'https://securityaffairs.com/153422/data-breach/ey-exposes-4tb-sql-server-backup.html'}],
'response': {'communication_strategy': ['public disclosure via '
'SecurityAffairs',
'statement confirming no '
'client/confidential data affected'],
'containment_measures': ['restricted public access to the Azure '
'Blob'],
'incident_response_plan_activated': "yes (EY's CSIRT engaged "
'after disclosure)',
'remediation_measures': ['secured misconfigured storage '
'permissions'],
'third_party_assistance': ['Neo Security (disclosure)']},
'title': 'EY Exposes 4TB SQL Server Backup Publicly on Microsoft Azure',
'type': ['data exposure', 'misconfiguration'],
'vulnerability_exploited': 'misconfigured Azure Blob storage permissions'}