Some 4TB of EY’s database backup was publicly available online. For now, there is no confirmation of exactly what data was in the collection, but the scale of the disclosed volume is enough to set off another wave of discussion in the industry about what is usually neglected: the security of backups.
For years, the cybersec market has focused on attacks and infiltrations of production systems. Meanwhile, backups are often full, 1:1 representations of running instances: not just tables, but also code, access tokens, API keys and configurations. The EY case demonstrates the mechanics of many high-profile incidents in recent months – no need for zero-day vulnerabilities, no need for advanced APT groups. All you need is a misaligned permission in a bucket or a snapshot with default permissions.
Industry reports confirm the scale of the problem. Wiz Security calculated that in AWS alone, the number of misconfigured S3 resources grew at a double-digit rate quarter-on-quarter in 2024. Gartner predicts that by 2027, as many as 60 per cent of cloud incidents will be due to configuration errors rather than security breaches. For corporate security departments, this means one thing: the battle is no longer over the next EDR layer, but over control of the entire XaaS configuration.
This is not a sensitive topic only for hyperscalers. There is no shortage of organisations that maintain backups based on a hybrid of simple NAS storage, public cloud and repositories inherited from previous generations of systems. Any such component is a potential back door if it is not subject to the same standards as the production environment: encryption, zero trust access, identity control, near real-time alerting.
Interestingly, it is no longer about the backup itself. New XDR and posture management tools are starting to treat backup as a normal, active part of the attack surface. They are monitoring the configuration of Microsoft 365 services, analysing key exposure, scanning tokens in snapshots, looking for redundant role permissions and accounts that could serve as a pivot.
The biggest lesson from the EY incident is paradoxically minimal: backup is not a neutral entity. It is a full-fledged asset, often more important than production, because it contains the completeness of data and the complete history of processes. A single mistake in backup exposure can undo years of investment in security and re-align the accents in the strategies of CISOs across the market, including in Poland. Proactive configuration audits and control automation are as critical a part of cyber hygiene today as the defence tools themselves.
Update:
In response to the above publication, we have received an official comment from EY, the content of which we publish below in its entirety:
“Several months ago, EY became aware of a possible data breach and immediately implemented appropriate procedures. No customer information, personal data, or confidential company data was compromised. The situation did not involve EY Poland. It was related to an entity acquired by EY in Italy, which was not connected to EY’s global cloud or systems.”
