Accenture’s clients had cloud environments compromised in the wake of a ransomware attack on the consulting multinational in August, it has admitted in a regulatory filing that confirms “proprietary information” was stolen from its systems — while customers have also suffered “breaches of systems and cloud-based services enabled by or provided by us” as a result and may yet continue to do so in the wake of the attack.
The statement in the consulting multinational’s annual report (fiscal 2021) is the first substantial acknowledgement of the impact from the attack — which saw cybercriminals briefly publish 2,384 sensitive files on a Dark Web site. It was first spotted and reported by Bleeping Computer’s Sergiu Gatlan.
It also seems to fly against vehement denials by Accenture in August that the attack had had any impact — the company saying at the time that “… we identified irregular activity in on of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected servers from back up. There was no impact on Accenture’s operations, or on our clients’ systems.”
The incident came at the tail-end of a blockbuster year for Accenture (one described by CEO Julie Sweet as “truly extraordinary”) as the company reported revenues of $50.5 billion and record new bookings of $59.3 billion, adding approximately 118,000 people to its global workforce, despite economic turmoil caused by the pandemic.
(Like most companies affected by ransomware — but not operationally crippled in a substantial way — investors and customers seem to have largely shrugged off the incident.)
Accenture customers experience “breaches of systems”
As part of a mandatory filing on risk factors affecting the company, Accenture said: “During the fourth quarter of fiscal 2021, we identified irregular activity in one of our environments, which included the extraction of proprietary information by a third party, some of which was made available to the public by the third party. In addition, our clients have experienced, and may in the future experience, breaches of systems and cloud-based services enabled by or provided by us. To date these incidents have not had a material impact on our or our clients’ operations; however, there is no assurance that such impacts will not be material in the future…”
While ransomware attacks remain rife (Cisco Talos reported that ransomware represented 46% of all of its incident response call-outs in April-June 2021; triple that of the next most common issue — exploitation of Microsoft Exchange servers — “most attackers continuing to use commercial tools like Cobalt Strike, open source tools like Rubeus, and tools native on victim machines, like PowerShell”) corporate responses to them continue to vary hugely: from blow-by-blow, live-blogging of incident response, through to the haughtily taciturn.
In 2017 Accenture left at least four cloud storage buckets unsecured and publicly downloadable, exposing secret API data, authentication credentials, certificates, decryption keys, and customer information.
“These people are beyond privacy and security. I really hope that their services are better than what I saw as an insider” one of the group’s attackers said at the time, hinting that they had had insider help.