Global accounting giant Ernst & Young (EY) suffered a significant cloud security lapse when a 4-terabyte SQL Server backup file was found publicly accessible on Microsoft Azure. The exposure, which contained a complete database dump, was discovered during a routine asset mapping exercise by cybersecurity firm Neo Security. The sheer size of the file—equivalent to millions of documents—and its .BAK format, which typically harbors embedded secrets like API keys and credentials, immediately flagged it as a high-risk security event, illustrating how easily even major organizations can inadvertently leave highly sensitive data open to the internet’s relentless automated scanners.
Neo Security’s lead researcher found the file while examining passive network traffic using low-level tools. A simple metadata request confirmed the massive 4TB size, while the file name clearly indicated a SQL Server backup. The initial search on the Azure Blob Storage did not reveal the owner, but the team’s deeper investigation uncovered European-language merger documents pointing to a 2020 acquisition, and a crucial DNS SOA record lookup ultimately tied the domain directly to ey.com, confirming EY’s involvement. To ensure legal compliance and responsible disclosure, the security team only downloaded the first 1,000 bytes, which provided the unmistakable “magic bytes” signature for an unencrypted SQL Server backup.
The security researchers understood that this was not a theoretical vulnerability; they recalled a real-world incident where a brief, five-minute exposure of a similar .BAK file allowed attackers to exfiltrate credentials and personally identifiable information, ultimately leading to a ransomware attack and the company’s collapse. With current sophisticated botnets able to scan the entire IPv4 address space in minutes, such exposures essentially guarantee compromise. Neo Security immediately ceased further probing and pursued responsible disclosure, eventually reaching EY’s CSIRT via LinkedIn after 15 attempts over a weekend to alert them to the danger.
EY responded professionally, triaging and remediating the issue within a week. A spokesperson for EY confirmed the incident, stating that the firm became aware of a potential exposure “several months ago” and immediately fixed it. They assured the public that “No client information, personal data, or confidential EY data has been impacted,” clarifying that the issue was localized to an entity acquired by EY Italy and was disconnected from the main EY global cloud and technology systems.
Security experts emphasize that automated adversarial scanning means the question for organizations is no longer “if” an exposure will happen, but “how many” malicious actors will notice it. As cloud environments grow more complex, continuous asset mapping and visibility tools are critical to maintaining security. These measures are becoming essential not just for defense, but to ensure that organizations discover and patch their own leaks before external threats can exploit them, effectively forcing companies to outpace the speed of automated attacks.
Reference:
