SECURITY ALERT:

Entra ID flaw exposed identity gaps—see what it revealed

November 19, 2025

CSPM|Security Breaches

Your Cloud May Be Secure, But Are Your Backups? Lessons from the EY Incident

Your Cloud May Be Secure, But Are Your Backups? Lessons from the EY Incident

Cloud teams often obsess over production systems: hardening workloads, tightening IAM, refining detection rules, and closing misconfigurations before attackers can use them. But there’s another environment hiding in plain sight: your backup storage.

The recent discovery of a 4TB publicly accessible SQL Server backup linked to EY demonstrates a harsh reality. Even well-funded, security-mature organizations can unintentionally expose high-value data if backups aren’t governed with the same rigor as their primary infrastructure. And in the era of automated scanning, exposure isn’t a matter of chance. It’s a matter of time.

 

What Actually Happened in the EY Exposure

During routine passive network analysis, researchers at Neo Security identified a massive .BAK file that was 4 terabytes in size and publicly accessible on Microsoft Azure. Even without downloading the file, simple metadata checks showed it was a full SQL Server backup with potential access to database schemas, sensitive user data, API keys, hardcoded credentials, and authentication tokens.

A short test sample of only 1,000 bytes confirmed the backup was unencrypted and live. After days of tracing the owner, the investigation pointed to EY via DNS SOA records and historical corporate documentation. The researchers responsibly disclosed the finding, but only after 15 attempts to reach the right team.

To EY’s credit, the misconfiguration was quickly fixed and they confirmed no client data was impacted. But the bigger issue is not the exposure, but what it represents for every enterprise running at cloud scale.

 

Why Backups Are Becoming a Cloud Security Risk

1. Backups escape governance more easily than production systems

Production systems are monitored, audited, and reviewed. Backups, however, often sit in:

  • Legacy storage accounts
  • Unused containers
  • Old replication targets
  • Forgotten disaster recovery buckets

Teams rarely treat backup storage as part of the attack surface. Attackers, however, absolutely do.

2. Backup files contain everything an attacker wants, without needing to break in

A backup database containing sensitive information represents an invaluable target for cybercriminals. With unrestricted access to confidential data such as secrets, credentials, internal mappings, proprietary business logic, and comprehensive historical records, attackers can gain deep insight into an organization’s operations. This level of exposure not only enables them to exploit vulnerabilities and escalate privileges but also to conduct sophisticated, large-scale breaches that compromise systems, data integrity, and customer trust.

3. Cloud sprawl makes it easy to lose track of where backups live

Teams scale fast. Pipelines get messy. One engineer tests a backup restore in a temporary container and forgets to lock it down. Another team replicates a storage bucket for migration and never deletes it. At cloud speed, orphaned backups appear faster than teams can catalogue them.

4. Automated scanning tools turn exposures into immediate risk

The EY case underlines a new truth: the window between exposure and discovery is shrinking. Botnets and scanners sweep public cloud ranges nonstop. If a backup is exposed, someone will find it, and usually within hours.

 

The EY Exposure: What It Teaches the Enterprise Cloud World

Lesson 1: Security maturity doesn’t prevent blind spots

EY has mature teams, global SOC operations, and strong processes. And yet one misconfigured storage endpoint created a high-risk exposure. No organization is immune to cloud drift.

Lesson 2: Ownership is often unclear

The researchers struggled to even identify the right team inside EY to contact. That’s common. Backups often fall under Infra, DBA teams, M&A integration teams, cloud operations, or even application teams. When ownership is unclear, governance gaps widen.

Lesson 3: Encryption is not enough

Many companies rely on encryption as the safety net. But if a backup is publicly exposed and unencrypted, the blast radius multiplies instantly.

Lesson 4: Most cloud risk isn’t hacking. It’s a misconfiguration.

Attackers don’t need to exploit vulnerabilities when publicly available data already exists. Security leaders must treat backups like any other high-risk asset.

 

How Enterprises Can Prevent Backup Exposures

  • Treat backup storage as part of your attack surface. Audit backup locations with the same rigor as production workloads.
  • Continuously scan for exposed storage endpoints. Not quarterly or monthly, but continuously.
  • Enforce encryption by default. Backups should never exist unencrypted under any circumstance.
  • Implement automated discovery of orphaned resources. Cloud sprawl makes manual inventory impossible.
  • Build clear ownership and routing rules. If someone finds an exposure, who is accountable to fix it now?

 

How CheckRed Helps Close the Backup Security Gap

The EY incident highlights exactly the kind of hidden exposure CheckRed is designed to detect.

Continuous discovery of every storage asset, across cloud & SaaS

CheckRed automatically identifies all cloud containers, buckets, and storage accounts, including:

  • Old backups
  • Test snapshots
  • Temporary replication targets
  • Unused migration buckets

Nothing stays hidden.

Real-time exposure detection

CheckRed flags publicly accessible storage, anonymous or unauthorized access, misconfigured tokens, unencrypted database backups, resources in the wrong network boundary. Alerts are immediate and prioritized too, helping your security teams respond swiftly and appropriately.

Context-rich insights to prioritize the risks that matter

Instead of long lists, CheckRed contextualizes risk:

  • Is this resource a database backup?
  • Does it contain sensitive data patterns?
  • Is it accessible globally?
  • Is it tied to a production system?

Security teams get clarity, not noise.

Automated and semi-automated remediation workflows

Organizations can fix issues instantly:

  • Disable public access
  • Revoke tokens
  • Enforce encryption
  • Lock down access policies

No manual hunting required.

 

Conclusion

Cloud security issues often arise not from high-profile zero-day vulnerabilities, but from the smaller gaps that go unnoticed. The EY exposure serves as a stark reminder that backups are no longer just passive archives; they have become active security risks. Even with a hardened, monitored, and tightly controlled cloud environment, if your backups are left unmanaged or scattered across misconfigured storage, you remain just one oversight away from a major security incident. This is where continuous monitoring plays a crucial role and where proactive vigilance helps mitigate risk. CheckRed steps in to close the gap. Get in touch with us to know more!

Related Posts:

Why Modern Enterprises Still Fail to Detect Months of Unauthorized AccessWhy Modern Enterprises Still Fail to Detect Months of Unauthorized Access When “Secure” Isn’t: What the Trusted Advisor S3 Bypass Reveals About AWS MisconfigurationsWhen “Secure” Isn’t: What the Trusted Advisor S3 Bypass Reveals About AWS Misconfigurations checkred vs. wiz the cloud security showdownCheckRed vs. Wiz: The Cloud Security Showdown

Sign up for monthly cybersecurity insights to stay informed and secure!

* Required