A security researcher at Neo Security stumbled upon the file which contained sensitive data like schema, stored procedures, and “every secret stored in those tables.”

While the researcher confirmed the file’s nature without downloading the full 4TB, they warned that such backups typically hold “API keys, session tokens, user credentials, cached authentication tokens, [and] service account passwords.” Essentially, all the secrets the application stored in the database.

“Finding a 4TB SQL backup exposed to the public internet is like finding the master blueprint and the physical keys to a vault, just sitting there,” the researchers noted.

They emphasised the enormous risk: even minutes of exposure are enough for a company to suffer a major breach or ransomware attack, urging that any responsible researcher must assume threat actors likely stole the data already.

EY’s Response: A Mixed Review

The researchers immediately alerted EY. They praised the initial response from the IT team as “Textbook perfect,” noting a “Professional acknowledgment. No defensiveness, no legal threats. Just: ‘Thank you. We’re on it.’”

However, they added that it took EY a full week to fully triage and remediate the issue—a significant delay where every second counts.

EY later stated: “No client information, personal data, or confidential EY data has been impacted.” They clarified that the issue was localised to an entity acquired by EY Italy and was unconnected to EY’s global cloud and technology systems.

This incident serves as a stark reminder of the fundamental security risk posed by misconfigured cloud storage and the critical need for rapid response when sensitive data is exposed.

The UK government have already put in place laws within the Data Use & Access Bill to share any data they please with any 3rd party supplier. This shows exactly how easy it is to have users or companies privacy data leaked.