Luca Stivali : 3 November 2025 07:20
In recent days, the alleged data leak by Ernst & Young (EY) has become one of the most discussed topics in the international cybersecurity landscape.
I decided to reconstruct the story step by step, starting from the technical evidence shared by Recorded Future and the analysis by Neo Security , to understand not only how the exposure occurred, but also what it can teach us about the control of digital assets in complex cloud environments like EY’s.
The file, in .BAK format, was accessible without authentication and may have contained sensitive information , such as API keys, service credentials, and authentication tokens.
There have been recent incidents of outages involving AWS and Microsoft Azure due to incorrect access configurations. These incidents make the cloud appear like a fragile fortress, vulnerable to a simple failure or misconfiguration.
The incident, while resolved quickly and without evidence of malicious access, raises questions about post-acquisition security and cloud attack surface management .
As explained in Neo Security’s official post and in Recorded Future ‘s report, the discovery was made during an attack surface mapping operation aimed at mapping the public exposures of large international organizations.
During the scan, the team spotted a .BAK file accessible without authentication and performed a HEAD request , an HTTP request that allows them to read only the file’s headers without downloading it.
The response — HTTP 200 OK with a Content-Length of about 4 TB — was enough to understand that it was a backup of impressive size , potentially containing highly valuable internal data.
Through an analysis of the DNS and SOA metadata , the bucket was linked to the ey.com domain, tracing it back to the EY infrastructure.
Researchers later identified the file as a full backup of Microsoft SQL Server , including not only the schema and application data, but also possible credentials, API keys, OAuth tokens, and service passwords.
Neo Security describes its work not as a simple scanning activity, but as a real “digital risk mapping” , aimed at identifying what organizations themselves are often unaware they possess.
During this mapping, the team detected the anomaly on Azure and, through a series of passive HTTP requests, confirmed that the bucket was publicly accessible and contained a backup file of approximately 4 TB.
According to the researchers, the cause lies in an incorrectly configured ACL (Access Control List) : likely an automated backup process set to public due to overly permissive default settings.
Following the report, EY responded swiftly, closing the exposure within approximately a week and working with Neo Security through the triage phase.
While there is no evidence of exfiltration, the team emphasizes that the data “may have been visible to multiple parties during the time window,” given the constant presence of automated scanners in cyberspace.
In his article, Neo Security expands on the discussion with a concrete example that perfectly illustrates what happens when a cloud asset becomes public, even for just a few minutes.
The author recounts a previous fintech incident , in which an engineer accidentally set an Amazon S3 bucket to public and then, after just five minutes, fixed the error, believing he was safe.
It wasn’t at all. In those few minutes, the entire database—with personal data, credentials, and company secrets—had already been intercepted and copied .
Attackers don’t scan randomly. They deploy thousands of automated scanners across every corner of the Internet.
Compromised IoT devices? Botnets. Hacked home routers? Botnets. Hacked cloud instances? Botnets.”
(Neo Security, “The 4 TB Time Bomb”)
These networks of distributed scanners don’t “browse” like human users: they constantly scour the entire IPv4 space—over 4.3 billion addresses—in minutes , leveraging a massively parallel infrastructure optimized for a single purpose: finding exposed data .
It’s a kind of “automated gold rush,” where every second counts. Every new S3 bucket, Azure blob, or misconfigured GCS storage immediately becomes the target of thousands of concurrent requests.
The time separating the misconfigured from exfiltrated state is no longer measured in hours or minutes, but in seconds .
In the case cited by Neo Security, the victim company had recorded an abnormal 400% spike in website traffic during those five minutes of exposure: these were not users, but automated bots that scanned every endpoint, looking for other entry points.
A few minutes later, the database was already in the underground circuits and the company, crushed by the reputational damage and legal costs, never recovered.
This example is not meant to dramatize, but to clarify a fundamental point:
In a world where botnets scan the entire internet in real time, there’s no such thing as a “temporary glitch.” Even a few moments’ exposure is enough for data to be detected, copied, and disseminated.
Following the disclosure, EY released an official statement:
“Several months ago, EY became aware of a potential data exposure and immediately remediated the issue. No client information, personal data, or confidential EY data has been impacted. The issue was localized to an entity that was acquired by EY Italy and was unconnected to EY global cloud and technology systems.”
The company clarifies that the incident did not involve the global network, but an entity acquired by EY Italy , separate from the group’s central infrastructure.
EY’s statement has a reassuring tone, but highlights a critical point that is often underestimated: security management in acquired entities .
Every acquisition brings with it legacy infrastructure, procedures, and sometimes vulnerabilities. If these environments aren’t integrated and held to the same global standards, they can become blind spots in the security perimeter.
In the EY case, it wasn’t a sophisticated attack, but rather a misconfiguration in a legacy environment. However, in a global and distributed context, a single forgotten bucket can have a huge reputational impact—even without an actual data breach.
In his final comment, the analyst from Recorded Future’s CTI team recalls that, given EY’s role in managing audit, finance and M&A , such exposure – if exploited – could have had regulatory, operational and reputational consequences.
The company recommends:
The EY case demonstrates that cloud security today depends not only on firewalls or encryption, but on comprehensive awareness of digital assets . A single misconfigured bucket can become a 4-terabyte bomb, ready to detonate on the reputation of a global giant.
Whether the origin is a company acquired in Italy or an automated backup process, the lesson remains the same:
“You can’t defend what you don’t know you own.”
You can’t protect what you don’t know you own — a phrase that perfectly sums up the heart of modern cloud security.
Sources:
Luca Stivali
