Ernst & Young (EY), a global accounting and consulting firm, inadvertently exposed a 4-terabyte (TB) SQL Server database backup on the public internet. The unsecured .BAK file, discovered by a Neo Security researcher, contained highly sensitive internal data, including database schemas, stored procedures, API keys, session tokens, user credentials, and service account passwords—effectively a 'master blueprint' to EY’s digital infrastructure. While EY confirmed the exposure and claimed no client, personal, or confidential data was compromised, the incident stemmed from an acquired entity under EY Italy, disconnected from its global systems. The file remained accessible for an estimated week before remediation, raising concerns about potential access by malicious actors. EY’s response was praised for professionalism, though the delayed fix highlighted operational vulnerabilities. The exposure risked unauthorized access to critical systems, credential theft, and potential lateral movement within EY’s network, though the firm asserted no evidence of exploitation.

A Dutch cybersecurity firm, Neo Security, discovered a 4TB+ unencrypted SQL Server backup file belonging to EY exposed publicly on the internet due to a misconfigured cloud bucket. The leaked data included API keys, cached authentication tokens, session tokens, service account passwords, and user credentials—essentially a full blueprint for accessing EY’s internal systems. The exposure was caused by a trivial error, likely a misconfigured bucket setting, which made the sensitive backup accessible to anyone. While the exact duration of exposure is unclear, such incidents typically assume compromise from the moment of discovery.The breach mirrors a past case Neo Security investigated, where a lazy database migration (temporarily setting a bucket to public) led to a ransomware attack and the eventual collapse of the affected company after data theft. EY responded professionally upon notification, remediating the issue within a week. However, the exposed credentials and trade secrets pose severe risks, including potential follow-on attacks, financial fraud, or espionage by threat actors who may have already downloaded the data.

India-based IT consulting giant, Infosys, has faced legal challenges due to a data breach in its U.S. subsidiary, McCamish Systems, during November 2023. This breach, which compromised the personal information of approximately 6.5 million individuals, affected customers of Bank of America and Fidelity Investment Life Insurance. A consolidated class action lawsuit was filed, claiming representation of all U.S. residents whose data was exposed. Infosys has agreed to a settle the matter with a $17.5 million payment, which aims to cover remediation efforts and legal claims, appeasing the affected customers and potentially mitigating further financial and reputational damage.

On August 9, 2023, the Washington State Office of the Attorney General reported a data breach affecting Ernst & Young LLP (EY US). The breach occurred from May 27, 2023, to May 31, 2023, involving a third-party service vulnerability in Progress Software’s MOVEit Transfer solution. The breach affected 1,129 Washington residents, compromising personal data including names, Social Security numbers, and financial information.

A 4TB SQL Server backup file belonging to Ernst & Young (EY) was discovered publicly exposed on Microsoft Azure by cybersecurity firm Neo Security. The unencrypted .BAK file, identified during routine passive network analysis, likely contained sensitive data such as database schemas, user credentials, API keys, and authentication tokens. Ownership was confirmed via DNS SOA lookup linking to ey.com, though initial searches showed no explicit owner. While EY remediated the exposure swiftly and claimed no client or confidential data was compromised, the incident underscored the high risk of automated scanning tools discovering such leaks. The exposure duration and potential access by malicious actors remained unclear, but past incidents demonstrated that even brief cloud exposures could lead to PII and credential theft. The case highlighted critical gaps in cloud visibility and leak detection, emphasizing the need for continuous attack surface monitoring in complex cloud environments.