Cloud teams often obsess over production systems: hardening workloads, tightening IAM, refining detection rules, and closing misconfigurations before attackers can use them. But there’s another environment hiding in plain sight: your backup storage.
The recent discovery of a 4TB publicly accessible SQL Server backup linked to EY demonstrates a harsh reality. Even well-funded, security-mature organizations can unintentionally expose high-value data if backups aren’t governed with the same rigor as their primary infrastructure. And in the era of automated scanning, exposure isn’t a matter of chance. It’s a matter of time.
During routine passive network analysis, researchers at Neo Security identified a massive .BAK file that was 4 terabytes in size and publicly accessible on Microsoft Azure. Even without downloading the file, simple metadata checks showed it was a full SQL Server backup with potential access to database schemas, sensitive user data, API keys, hardcoded credentials, and authentication tokens.
A short test sample of only 1,000 bytes confirmed the backup was unencrypted and live. After days of tracing the owner, the investigation pointed to EY via DNS SOA records and historical corporate documentation. The researchers responsibly disclosed the finding, but only after 15 attempts to reach the right team.
To EY’s credit, the misconfiguration was quickly fixed and they confirmed no client data was impacted. But the bigger issue is not the exposure, but what it represents for every enterprise running at cloud scale.
Production systems are monitored, audited, and reviewed. Backups, however, often sit in:
Teams rarely treat backup storage as part of the attack surface. Attackers, however, absolutely do.
A backup database containing sensitive information represents an invaluable target for cybercriminals. With unrestricted access to confidential data such as secrets, credentials, internal mappings, proprietary business logic, and comprehensive historical records, attackers can gain deep insight into an organization’s operations. This level of exposure not only enables them to exploit vulnerabilities and escalate privileges but also to conduct sophisticated, large-scale breaches that compromise systems, data integrity, and customer trust.
Teams scale fast. Pipelines get messy. One engineer tests a backup restore in a temporary container and forgets to lock it down. Another team replicates a storage bucket for migration and never deletes it. At cloud speed, orphaned backups appear faster than teams can catalogue them.
The EY case underlines a new truth: the window between exposure and discovery is shrinking. Botnets and scanners sweep public cloud ranges nonstop. If a backup is exposed, someone will find it, and usually within hours.
EY has mature teams, global SOC operations, and strong processes. And yet one misconfigured storage endpoint created a high-risk exposure. No organization is immune to cloud drift.
The researchers struggled to even identify the right team inside EY to contact. That’s common. Backups often fall under Infra, DBA teams, M&A integration teams, cloud operations, or even application teams. When ownership is unclear, governance gaps widen.
Many companies rely on encryption as the safety net. But if a backup is publicly exposed and unencrypted, the blast radius multiplies instantly.
Attackers don’t need to exploit vulnerabilities when publicly available data already exists. Security leaders must treat backups like any other high-risk asset.
The EY incident highlights a common but often overlooked source of risk: hidden exposure within backup and storage environments.
Effective security starts with knowing what exists across cloud and SaaS environments. This includes visibility into:
When these assets aren’t continuously discovered, they can quietly expand an organization’s attack surface.
Modern security programs must identify risky storage conditions as they happen, including:
Immediate, prioritized alerts allow security teams to respond before exposure turns into an incident.
Raw alerts aren’t enough. Teams need context to understand real risk, such as:
Context transforms overwhelming alert lists into actionable intelligence.
Closing the gap requires the ability to act quickly. Common remediation actions include:
Automation and guided workflows reduce manual effort and help teams remediate consistently and safely.
Cloud security incidents rarely stem from headline-grabbing zero-day exploits. More often, they originate from small, overlooked gaps—like unsecured backups quietly sitting in misconfigured storage. The EY exposure is a reminder that backups are no longer passive archives; they are high-value assets that demand the same governance, monitoring, and controls as production systems.
Without continuous visibility and proactive oversight, even well-secured environments remain vulnerable to a single missed setting. Closing the backup security gap requires ongoing monitoring, contextual risk analysis, and the ability to remediate exposures before attackers find them.
Derek Hammack is a multi-disciplinary cybersecurity professional at CheckRed with a background spanning engineering, communications, analytics, and strategic leadership. With experience across government and private sectors—including work in cloud architecture, SaaS security, and cross-functional program management—he brings a systems-thinking approach to solving complex challenges. Derek is passionate about helping organizations stay ahead of evolving threats through proactive posture management and modern security solutions.
Share this content on your favorite social network today!
Monthly updates on all things CSA - research highlights, training, upcoming events, webinars, and recommended reading.
Monthly insights on new Zero Trust research, training, events, and happenings from CSA's Zero Trust Advancement Center.
Quarterly updates on key programs (STAR, CCM, and CAR), for users interested in trust and assurance.
Quarterly insights on new research releases, open peer reviews, and industry surveys.
Subscribe to our newsletter for the latest expert trends and updates
We value your privacy. Our website uses analytics and advertising cookies to improve your browsing experience. Read our full Privacy Policy.
Analytics cookies, from Google Analytics and Microsoft Clarity help us analyze site usage to continuously improve our website.
Advertising cookies, enable Google to collect information to display content and ads tailored to your interests.
© 2009–2026 Cloud Security Alliance.
All rights reserved.