Ernst & Young accidentally leaks 4TB of internal data in massive online exposure

Ernst & Young (EY), one of the world’s largest accounting and consulting firms, reportedly left a 4-terabyte (TB) database backup exposed on the public internet — potentially revealing vast amounts of sensitive company information.

The unprotected .BAK file, believed to be a full SQL Server database backup, was discovered by a security researcher at Neo Security who stumbled upon it while conducting unrelated “low-level tooling work”. According to the researcher, the file contained critical internal data — including schema, stored procedures, and potentially API keys, session tokens, user credentials, and service account passwords.

The researcher noted that whatever the application stored in the database — not just one secret, but all the secrets. A report from TechRadar highlighted that the ramifications could have been severe, with experts warning that even a brief exposure could have allowed threat actors to steal data or deploy ransomware.

“Finding a 4TB SQL backup exposed to the public internet is like finding the master blueprint and the physical keys to a vault, just sitting there with a note saying ‘free to a good home,’” the researcher said.

Once the exposure was confirmed, the Neo Security team immediately contacted EY to alert them to the potential breach. Although it remains unclear how long the database was publicly accessible, the researchers cautioned that it was safest to assume that multiple malicious actors could have accessed it before it was secured.

Despite the gravity of the incident, the researcher praised EY for its swift and professional response, describing it as “textbook perfect” — acknowledging the alert without defensiveness or legal threats, and assuring the team that action was being taken.

However, reports indicate that it took around a week for EY to fully remediate the issue, a lengthy period given the potential risk.

In a statement to TechRadar Pro, EY confirmed the incident but downplayed its impact. It said that few months ago, EY became aware of a potential data exposure and immediately remediated the issue. No client information, personal data, or confidential EY data has been impacted. The issue was localised to an entity that was acquired by EY Italy and was unconnected to EY’s global cloud and technology systems.

While the firm insists that no client or confidential data was compromised, cybersecurity experts argue the incident underscores the risks of poor cloud storage practices — particularly when backups containing highly sensitive information are left accessible without proper safeguards.