Your Cloud May Be Secure, But Are Your Backups? Lessons From The EY Incident

Cloud teams often obsess over production systems: hardening workloads, tightening IAM, refining detection rules, and closing misconfigurations before attackers can use them. But there’s another environment hiding in plain sight: your backup storage.

The recent discovery of a 4TB publicly accessible SQL Server backup linked to EY demonstrates a harsh reality. Even well-funded, security-mature organizations can unintentionally expose high-value data if backups aren’t governed with the same rigor as their primary infrastructure. And in the era of automated scanning, exposure isn’t a matter of chance. It’s a matter of time.

 

What Actually Happened in the EY Exposure

During routine passive network analysis, researchers at Neo Security identified a massive .BAK file that was 4 terabytes in size and publicly accessible on Microsoft Azure. Even without downloading the file, simple metadata checks showed it was a full SQL Server backup with potential access to database schemas, sensitive user data, API keys, hardcoded credentials, and authentication tokens.

A short test sample of only 1,000 bytes confirmed the backup was unencrypted and live. After days of tracing the owner, the investigation pointed to EY via DNS SOA records and historical corporate documentation. The researchers responsibly disclosed the finding, but only after 15 attempts to reach the right team.

To EY’s credit, the misconfiguration was quickly fixed and they confirmed no client data was impacted. But the bigger issue is not the exposure, but what it represents for every enterprise running at cloud scale.

 

Why Backups Are Becoming a Cloud Security Risk

1. Backups escape governance more easily than production systems

Production systems are monitored, audited, and reviewed. Backups, however, often sit in:

• Legacy storage accounts
• Unused containers
• Old replication targets
• Forgotten disaster recovery buckets

Teams rarely treat backup storage as part of the attack surface. Attackers, however, absolutely do.

 

2. Backup files contain everything an attacker wants, without needing to break in

A backup database containing sensitive information represents an invaluable target for cybercriminals. With unrestricted access to confidential data such as secrets, credentials, internal mappings, proprietary business logic, and comprehensive historical records, attackers can gain deep insight into an organization’s operations. This level of exposure not only enables them to exploit vulnerabilities and escalate privileges but also to conduct sophisticated, large-scale breaches that compromise systems, data integrity, and customer trust.

 

3. Cloud sprawl makes it easy to lose track of where backups live

Teams scale fast. Pipelines get messy. One engineer tests a backup restore in a temporary container and forgets to lock it down. Another team replicates a storage bucket for migration and never deletes it. At cloud speed, orphaned backups appear faster than teams can catalogue them.

 

4. Automated scanning tools turn exposures into immediate risk

The EY case underlines a new truth: the window between exposure and discovery is shrinking. Botnets and scanners sweep public cloud ranges nonstop. If a backup is exposed, someone will find it, and usually within hours.

 

The EY Exposure: What It Teaches the Enterprise Cloud World

Lesson 1: Security maturity doesn’t prevent blind spots

EY has mature teams, global SOC operations, and strong processes. And yet one misconfigured storage endpoint created a high-risk exposure. No organization is immune to cloud drift.

 

Lesson 2: Ownership is often unclear

The researchers struggled to even identify the right team inside EY to contact. That’s common. Backups often fall under Infra, DBA teams, M&A integration teams, cloud operations, or even application teams. When ownership is unclear, governance gaps widen.

 

Lesson 3: Encryption is not enough

Many companies rely on encryption as the safety net. But if a backup is publicly exposed and unencrypted, the blast radius multiplies instantly.

 

Lesson 4: Most cloud risk isn’t hacking. It’s a misconfiguration.

Attackers don’t need to exploit vulnerabilities when publicly available data already exists. Security leaders must treat backups like any other high-risk asset.

 

How to Close the Backup Security Gap

The EY incident highlights a common but often overlooked source of risk: hidden exposure within backup and storage environments.

 

Continuous discovery of every storage asset

Effective security starts with knowing what exists across cloud and SaaS environments. This includes visibility into:

• Old backups
• Test snapshots
• Temporary replication targets
• Unused migration buckets

When these assets aren’t continuously discovered, they can quietly expand an organization’s attack surface.

 

Real-time exposure detection

Modern security programs must identify risky storage conditions as they happen, including:

• Publicly accessible storage
• Anonymous or unauthorized access
• Misconfigured tokens or credentials
• Unencrypted database backups
• Resources deployed in the wrong network boundary

Immediate, prioritized alerts allow security teams to respond before exposure turns into an incident.

 

Context-rich insights to prioritize what matters

Raw alerts aren’t enough. Teams need context to understand real risk, such as:

• Is this asset a database backup?
• Does it contain sensitive or regulated data?
• Is it globally accessible?
• Is it connected to a production system?

Context transforms overwhelming alert lists into actionable intelligence.

 

Automated and guided remediation

Closing the gap requires the ability to act quickly. Common remediation actions include:

• Disabling public access
• Revoking exposed tokens
• Enforcing encryption
• Locking down access policies

Automation and guided workflows reduce manual effort and help teams remediate consistently and safely.

 

Conclusion

Cloud security incidents rarely stem from headline-grabbing zero-day exploits. More often, they originate from small, overlooked gaps—like unsecured backups quietly sitting in misconfigured storage. The EY exposure is a reminder that backups are no longer passive archives; they are high-value assets that demand the same governance, monitoring, and controls as production systems.

Without continuous visibility and proactive oversight, even well-secured environments remain vulnerable to a single missed setting. Closing the backup security gap requires ongoing monitoring, contextual risk analysis, and the ability to remediate exposures before attackers find them.