A massive 4TB SQL Server backup file belonging to global accounting giant Ernst & Young (EY) was discovered publicly accessible on Microsoft Azure.
The exposure, uncovered by cybersecurity firm Neo Security during a routine asset mapping exercise, highlights how even well-resourced organizations can inadvertently leave sensitive data vulnerable to the internet’s automated scanners.
Neo Security’s lead researcher discovered the file while examining passive network traffic with low-level tools. A simple HEAD request designed to retrieve metadata without downloading content revealed a massive size: 4 terabytes of data, which is equivalent to millions of documents or the contents of an entire library.
The file’s naming convention screamed SQL Server backup (.BAK format), which typically contains full database dumps, including schemas, user data, and, crucially, embedded secrets such as API keys, credentials, and authentication tokens.
Discovery and Verification Process
Initial searches on the Azure Blob Storage yielded no immediate ownership clues, but deeper probes uncovered merger documents in a European language, translated with tools like DeepL, pointing to a 2020 acquisition.
A pivotal DNS SOA record lookup tied the domain to ey.com, confirming EY’s involvement. To avoid any legal pitfalls, the team downloaded only the file’s first 1,000 bytes, revealing an unmistakable “magic bytes” signature for an unencrypted SQL Server backup, Neo Security learns.
This was not a theoretical risk. Neo Security relied on real-world incident response experience, recalling a fintech breach that resulted from the brief exposure of a similar .BAK file for just five minutes.
In that case, attackers exploited the brief window to exfiltrate personally identifiable information and credentials, leading to ransomware and the company’s collapse.
With today’s botnets scanning the entire IPv4 address space in minutes, such exposures invite inevitable compromise. Neo Security halted further probing and pursued responsible disclosure over a weekend, eventually connecting with EY’s CSIRT via LinkedIn outreach after 15 attempts.
EY responded swiftly and professionally, triaging and remediating the issue within a week, with no defensiveness, just effective action.
EY Spokesperson said to Cyber Security News, “Several months ago, EY became aware of a potential data exposure and immediately remediated the issue. No client information, personal data, or confidential EY data has been impacted. The issue was localized to an entity that was acquired by EY Italy and was unconnected to EY global cloud and technology systems.”
Experts warn that automated adversarial scanning means exposures aren’t “if” but “how many” actors notice.
As cloud complexity grows, continuous mapping and visibility tools become essential to outpace threats, ensuring organizations discover their own leaks first.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
