A massive 4 terabyte (TB) SQL Server backup file belonging to the global accounting giant Ernst & Young (EY) was discovered publicly accessible on the Microsoft Azure cloud platform.
Discovery and Confirmation
Cybersecurity firm Neo Security discovered the 4TB file during a routine passive scan. The firm's lead researcher identified the publicly exposed file, whose .BAK extension indicated a full SQL Server database backup. Such files typically contain highly sensitive data including schemas, user information, API keys, credentials, and authentication tokens.
Cybersecurity News reported that Neo Security's lead researcher spotted the file while examining passive network traffic. A simple HEAD request, designed to retrieve metadata
without downloading content, revealed the massive size: 4 terabytes of data, equivalent to millions of documents.
Initial searches on Azure Blob storage failed to reveal the owner. However, merger documents and a DNS SOA lookup linked the SQL Server backup to EY. Neo Security verified the backup was unencrypted by downloading only 1,000 bytes, which confirmed a real risk based on past fintech breaches resulting from brief exposure of .BAK files.
The Neo Security report detailed the ownership confirmation process. Company name searches led to business merger documents in a European language. A translation revealed the company was acquired in 2020 by a larger entity. The definitive link was established with an SOA record lookup, a DNS query that came back pointing to the authoritative DNS server: ey.com.
Risk and Remediation
The exposure of this file was extremely high risk. In a past incident, attackers exploited a brief cloud exposure to steal personally identifiable information (PII) and credentials. Given the prevalence of automated scanning tools, the concern was not if someone found it, but how many malicious actors discovered the file.
Neo Security responsibly disclosed EY’s 4TB backup, successfully contacting EY's Computer Security Incident Response Team (CSIRT) after 15 failed attempts.
EY quickly remediated the issue, later confirming that no client or confidential data was affected. Experts emphasize that due to the complexity and speed of modern cloud environments, automated scanning makes such exposures inevitable.
The incident highlights two critical points for every organization:
- Even a resource rich organization like EY can accidentally leave massive, sensitive data exposed because of the complexity and speed of modern cloud environments.
- In the current era of automated scanning and botnets, exposures are extremely high risk. Continuous, automated monitoring and attack surface management are essential to detect and remediate leaks before malicious actors can exploit them.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
