Today’s episode of “No need to hack when it’s leaking” is brought to us by Neo Security.
In the course of their research and scanning, they came across a 4 TB SQL backup. As Neo Security explains:
An SQL Server BAK file is a complete database backup. It contains everything: the schema, all the data, stored procedures, and critically, every secret stored in those tables.
API keys, session tokens, user credentials, cached authentication tokens, service account passwords. Whatever the application stored in the database.
Not just one secret… all the secrets.
Finding a 4TB SQL backup exposed to the public internet is like finding the master blueprint and the physical keys to a vault, just sitting there. With a note that says “free to a good home.”
Determining whom to notify involved multiple steps, but a Start of Authority (SOA) lookup pointed them to an authoritative DNS server: ey.com, the domain for one of the Big Four accounting firms: Ernst & Young.
Neo Security hammers home one point throughout their article: even if data is just exposed for seconds, it’s not a question of if someone found it. It’s a question of how many found it. Neo Security’s researcher did not know for how long that backup had been exposed, but responded to it as an urgent situation, attempting to responsibly disclose it quickly to Ernst & Young.
A “textbook perfect” response?
Neo Security heaps praise on Ernst & Young for their response to their notification. From the moment they reached the firm, the firm’s response was
Textbook perfect. Professional acknowledgment. No defensiveness, no legal threats. Just: “Thank you. We’re on it.”
Clear, technical communication. Engineer to engineer. No jargon-filled corporate speak. Just solid incident response.
One week later, the issue was triaged and fully remediated.
Neo Security even emphasized their lavish praise:
A huge shout-out to EY’s security team.
They handled it exactly as you’d hope. This is what mature security response looks like. And frankly, it’s rare. We’ve had companies threaten us with lawsuits for telling them their database was public. We’ve had companies ghost us for months. We’ve had companies claim “it’s not a bug, it’s a feature.”
EY? They just fixed it. No drama. No bullshit. Just professionalism.
But enabling the security team to get to that point was neither quick nor professional on Ernst & Young’s part. As Neo Security explains:
The hard part: we scrambled to find a security@ mailbox, a vulnerability disclosure program, anything. Nothing. It was the weekend.
This is the uncomfortable reality of responsible disclosure. Our researcher went to LinkedIn and started cold-messaging people. “Hi, I’m a security researcher, I think I’ve found something critical, can you please get me to your security team?” After 15 attempts, he found someone who understood and connected him to the CSIRT.
That is not “textbook perfect.”
Ernst & Young has a section on its website about cybersecurity and how Ernst & Young can help clients with cyber threat management, detection, and response services. They also note that October is Cybersecurity Awareness Month.
Yet Ernst & Young failed to have a necessary component of incident detection and response: a way to receive and escalate alerts from third parties about security issues.
As of this morning, there is still nothing on Ernst & Young’s home page or in their robots.txt file that instructs researchers or other third parties how to notify them of an urgent security issue.
DataBreaches assumes that the accounting firm has investigated or is investigating how the security failure occurred, for how long data was exposed, and how many unauthorized IP addresses accessed it.
This is still Cybersecurity Awareness Month. DataBreaches hopes Ernst & Young will model some awareness for its clients by posting something on their home page about how to contact them 24/7/365 to alert them to any data security breach.
That’s what https://securitytxt[.]org/ is for.