A massive 4TB SQL Server backup file belonging to global accounting giant Ernst & Young (EY) was discovered publicly accessible on Microsoft Azure.
The exposure, uncovered by cybersecurity firm Neo Security during a routine asset mapping exercise, highlights how even well-resourced organizations can inadvertently leave sensitive data vulnerable to the internet’s automated scanners.
Neo Security’s lead researcher discovered the file while examining passive network traffic with low-level tools.
A simple HEAD request meant to fetch metadata without downloading content revealed the staggering size: 4 terabytes of data, equivalent to millions of documents or an entire library’s worth of information.
The file’s naming convention screamed SQL Server backup (.BAK format), which typically contains full database dumps, including schemas, user data, and, crucially, embedded secrets such as API keys, credentials, and authentication tokens.
Discovery and Verification Process
Initial searches on the Azure Blob Storage yielded no immediate ownership clues, but deeper probes uncovered merger documents in a European language, translated with tools like DeepL, pointing to a 2020 acquisition.
A pivotal DNS SOA record lookup tied the domain to ey.com, confirming EY’s involvement. To avoid any legal pitfalls, the team downloaded only the file’s first 1,000 bytes, revealing an unmistakable “magic bytes” signature for an unencrypted SQL Server backup, Neo Security learns.
This was not a theoretical risk. Neo Security relied on real-world incident response experience, recalling a fintech breach that resulted from the brief exposure of a similar .BAK file for just five minutes.
In that case, attackers exploited the brief window to exfiltrate personally identifiable information and credentials, leading to ransomware and the company’s collapse.
With today’s botnets scanning the entire IPv4 address space in minutes, such exposures invite inevitable compromise. Neo Security halted further probing and pursued responsible disclosure over a weekend, eventually connecting with EY’s CSIRT via LinkedIn outreach after 15 attempts.
EY responded swiftly and professionally, triaging and remediating the issue within a week, with no defensiveness, just effective action.
The firm deserves credit for its mature handling, a rarity in an industry often marred by denial or delays. Yet the incident underscores systemic cloud vulnerabilities. Azure’s convenience in exporting databases can lead to ACL (Access Control List) errors, flipping private storage public with one misclick.
For EY a Big Four firm auditing billion-dollar deals and holding market-moving financial data this lapse raises questions about oversight in fast-paced infrastructures.
Experts warn that automated adversarial scanning means exposures aren’t “if” but “how many” actors notice.
As cloud complexity grows, continuous mapping and visibility tools become essential to outpace threats, ensuring organizations discover their own leaks first.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
