A critical security vulnerability was discovered when a complete 4-terabyte SQL Server backup belonging to Ernst & Young (EY), one of the world’s Big Four accounting firms, was found publicly accessible on Microsoft Azure.
The exposure was identified by security researchers during routine internet mapping operations and has since been remediated following responsible disclosure protocols.
Discovery and Initial Response
Security researchers conducting passive data collection discovered the massive backup file through standard reconnaissance techniques.
A HEAD request to the Azure storage bucket returned metadata indicating a 4-terabyte object an unusually large file that immediately warranted investigation.
The file naming convention matched SQL Server backup (.BAK) file formats, suggesting a complete database export containing schemas, stored procedures, and potentially sensitive data including API keys, session tokens, user credentials, and authentication tokens.
To verify the file’s authenticity without downloading the entire dataset, researchers examined the file’s header signatures the distinctive “magic bytes” that identify file types.
The bytes confirmed an unencrypted SQL Server backup, eliminating any doubt about the severity of the exposure.
The discovery proved particularly concerning given what cybersecurity professionals know about cloud-exposed backups.
Years of incident response work has established a troubling pattern, attackers deploy distributed scanning infrastructure across the internet that can sweep entire IP address ranges in minutes, searching specifically for misconfigured cloud buckets and exposed databases.
The window between exposure and exfiltration is often measured in seconds rather than hours.
A comparable incident from previous years involved a fintech company where a database backup was accidentally set to public for approximately five minutes.
Despite the brief exposure window, attackers had already exfiltrated the entire dataset, including personally identifiable information and credentials.
The company’s homepage traffic spiked 400 percent during that window, suggesting thousands of automated bots had accessed the exposed files.
Tracing ownership required detective work spanning DNS records, business registration documents, and domain authority lookups.
An SOA (Start of Authority) record query ultimately revealed the authoritative DNS server pointed to ey.com, confirming ownership by EY’s parent organization.
Researchers immediately ceased technical investigation and began attempting to contact the security team through LinkedIn and other channels since no formal vulnerability disclosure program was readily available.
EY’s incident response proved exemplary. Security leadership acknowledged the report without defensiveness, initiated rapid triage, and completed full remediation within one week.
The firm demonstrated the professionalism and technical competency that should characterize incident response for organizations handling sensitive financial data.
The incident underscores a critical vulnerability in modern cloud infrastructure, organizations managing massive digital assets often lack real-time visibility into their own exposure surface.
Even well-resourced enterprises with dedicated security teams can accidentally misconfigure access controls through simple mistakes a wrong bucket name, overlooked ACL settings, or default public permissions during automated exports.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
