Ernst & Young
I had to read 1/3 of the way into the linked report to find out what the f**k EY is. Come on El Reg, not everyone has the same knowlege set and interests in detail as you do. EY = Ernst & Young, a big accounting firm.
EY exposes 4TB+ SQL database to open internet for who knows how long
A Dutch cybersecurity outfit says its lead researcher recently stumbled upon a 4TB+ SQL Server backup file belonging to EY exposed to the web, effectively leaking the accounting and consulting megacorp's secrets. Among the BAK file's data were API keys, cached authentication tokens, session tokens, service account passwords, …
-
-
-
Thursday 30th October 2025 11:00 GMT steviesteveo
Re: Ernst & Young
It's interesting what counts as a shibboleth in IT. I remember one Reg comment that asked "Am I supposed to know what an ERP system is?" to which the answer is less yes or not and more "how long did you say you've been doing this?"
I think rings a bell level familiarity of FAANG, the big 4, maybe the biggest international banks(?) are just about on the level of expected commercial awareness for an IT worker who's been around. Everyone had to ask "what's Deloitte?" at some point but it means you've only just found some of the biggest potential employers in your industry
-
-
-
-
Wednesday 29th October 2025 17:50 GMT Anonymous Coward
Re: Ernst & Young
Surely we can presume some business awareness amongst Reg readers, this isn't a home computing newsgroup, and EY have circa £40bn turnover.
I would post a link to the section of their website offering cybersecurity advisory services, but at the time of typing this their web presence is offline. Maybe potential customer for cybersecurity advice might take note of both the exposure of everything, and the fact that they can't even keep a website up.
-
-
Wednesday 29th October 2025 18:51 GMT Charlie Clark
Re: Ernst & Young
Oh add patronising to the insults, why don't you?
Aside from the fact that Ernst & Young, along with the other accounting & consulting firms, has been through several rebrands, mergers and demergers, it's good journalistic (& UI design for that matter) practice to provide readers with the necessary information and this may include things you find obvious. In addition, it's relevant to the article which particular parts of the business were affected by the clusterfuck. Was it the accounting? Was it the consulting/body leasing? Or was it the blue sky / big cheque part?
-
-
Thursday 30th October 2025 11:43 GMT steviesteveo
Re: Ernst & Young
> A Dutch cybersecurity outfit says its lead researcher recently stumbled upon a 4TB+ SQL Server backup file belonging to EY exposed to the web, effectively leaking the accounting and consulting megacorp's secrets
It's an accounting and consulting megacorp, apparently
I came into this already knowing the names of the big four consulting firms because I work in IT and these are major employers in my industry but also Connor did absolutely nothing wrong here
-
Thursday 30th October 2025 18:42 GMT wub
Re: Ernst & Young
Just sorry I can only upvote this once.
The article is fine, I did not know this company rebranded to EY in 2013, but that is the legal and correct name now.
When an article mentions 3M, I don't think we should expect someone to point out that this used to be Minnesota Mining and Manufacturing, back when longer names were apparently better...
-
-
-
Wednesday 29th October 2025 18:12 GMT Anonymous Coward
Re: Ernst & Young
"EY is like IBM or GE."
No, it's not even near. You see, IBM (eventually) and GE (at one time) made actual consumer products you or me can buy from the corner shop.
EY is and was solely for billionaires and their corporations: A world poor peons like me have never heard of. Even less their random name changes.
-
-
-
Wednesday 29th October 2025 20:01 GMT Dave559
Re: Ernst & Young
I knew which company was (presumably) intended from the initials (the most likely expansion of those letters being their, now apparently erstwhile, name), as, yes, they are very big and very well-known if you ever read the business news even occasionally (see also KPMG, which I also recognise, but have no idea what the letters stand for!), but the fact that they had apparently renamed had completely passed me by - not really the most successful rebranding, then!
But, yes, it really wouldn't have hurt for the article to have included, on the first mention: "EY, the large accountancy company formerly known as…".
Unless an acronym is one that can reasonably be expected to be already known to readers of a particular publication, it is good copywriting practice to expand and/or explain on first use.
-
Wednesday 29th October 2025 20:13 GMT Not Yb
Re: Ernst & Young
KPMG: "Klynveld Peat Marwick Goerd(e)ler" the usual "last initials of the founders" naming convention. Wikipedia seems a bit unsure on which names are spelled in what manner, but that' the basic idea.
Apparently it almost became "KPMG EY" at one point, but the merger plans were abandoned for some reason.
-
-
Thursday 30th October 2025 06:26 GMT RM Myers
Re: Ernst & Young
Oh come on, KPMG has eye watering bills for uni students to come and perform more than just audits! Their technology and business transformation consultants are equally inept and expensive. They do have extremely competent employees - you just never see them after the contract is signed.
-
Thursday 30th October 2025 08:15 GMT Anonymous Coward
Re: Ernst & Young
Not that I am defending KPMG, but we have one of their ex students working for us, and she is one of the most competent people I have come across. If she was involved in auditing you there would be no chance of hiding anything. She just got tired of the rat race - they're not paid well by KPMG as most of what they are billed at seems to go to partners buying yachts.
I can see this one being headhunted in a few years.
-
Friday 31st October 2025 01:12 GMT RM Myers
Re: Ernst & Young
I worked with KPMG auditors all the way up to partners, and they were very competent, although several had toxic personalities. But we also had a major accounting systems rewrite contracted to KPMG, and the joke in my area was that we were paying KPMG to train their employees for them. The KPMG staff who developed their proposal knew our business as well as employees with 30 years of experience in the industry, and really snowed the CFO and Controller. Once the contract was signed, the actual KPMG staff who were doing the work didn't even understand basic concepts and terminology. I was spending a large part of my day answering their basic questions about accounting rules and terms. Not fun!
-
-
-
-
-
-
-
-
-
Thursday 30th October 2025 08:24 GMT Anonymous Coward
Re: Ernst & Young
Maybe crawl out from under your rock more often? Read a few other newspapers?
Honestly, even just a 0.02 sec search would have given you that information. I do not blame the journalist for assuming the reader has at least a basic understanding of which companies are out there. If they have to expand every TLA (yes I did that deliberately) they wouldn't get anything written.
-
-
Wednesday 29th October 2025 18:19 GMT Anonymous Coward
Re: Ernst & Young
"They changed the name over a decade ago"
And? Not being a billionaire I've heard the Ernst & Young first and last time (before this) related to some court cases they were involved, somewhere in the 1990s.
It may have a lot of revenue, but the only time ordinary people see even the name, is in the court documents, it's totally different world.
-
-
-
Wednesday 29th October 2025 16:58 GMT IamAProton
And that's why encrypted backups are good, you have an extra layer of protection in case you/a colleague/the cloud provider end up screwing something up.
Perhaps they just uploaded it as a secondary backup copy and didn't want to do an encrypted db backup just for that... not a good excuse anyways.
-
Wednesday 29th October 2025 19:55 GMT HereIAmJH
Encrypted backups
Backups should never be unencrypted. If the data isn't worth encrypting, it's not worth the risk of keeping it.
I wouldn't even allow non-production backups to be unencrypted.
a. build your non-prod like your prod so your testing is legitimate
b. developers have a tendency to put prod-like data in non-prod systems. "I just want to see why this particular data is causing the app to blow up"
-
-
Wednesday 29th October 2025 17:24 GMT Nate Amsden
web.config
Would be interesting to know how a db connection string in a web.config file led to anything. If you have the password to the DB it doesn't help unless you can connect to the DB. So I'm assuming the attacker had other means of connecting to the DB, maybe the DB was exposed externally as well.
Another article on security stuff here made me think briefly back to the SQL Slammer worm, which when I looked it up again Wikipedia I think said there was about 75,000 exposed SQL databases at the time and the worm took just 10 minutes to hit all of them across the globe. This was before the "cloud" era too.. people have been doing stupid things for a long time ...
Biting the hand that feeds IT
