Ernst & Young cloud misconfiguration leaks 4TB SQL Server backup on Microsoft Azure

Ernst & Young (EY), one of the world's "Big Four" accounting and professional services firms, was leaking a 4-terabyte SQL Server backup file publicly accessible on Microsoft Azure. 

The leak was detected by Dutch cybersecurity firm Neo Security during routine attack surface mapping exercises in October 2025. A simple HEAD request, designed to retrieve only metadata without downloading actual content, revealed an unusually large file size of 4 terabytes, equivalent to millions of documents or the entire collection of a major library. 

The file's naming convention indicated it was an SQL Server backup file (.BAK format). The cause of the exposure was a cloud storage misconfiguration on Microsoft Azure. In this case, it appears the issue stemmed from an entity acquired by EY Italy in 2020, where post-merger integration security gaps allowed the misconfigured backup to remain publicly accessible.

It's not clear what the backup file contained. The number of affected individuals was not disclosed. EY's official statement claims that "no client information, personal data, or confidential EY data has been impacted," attributing the issue to an isolated acquired entity not connected to EY's global cloud and technology systems.

To avoid legal complications and remain within ethical boundaries, the Neo Security team downloaded only the first 1,000 bytes of the file, which had the magic bytes of an unencrypted SQL Server backup, confirming the the exposure.

EY claims the incident occurred "several months ago". The duration the file was publicly accessible is unknown.