Security startup CodeWall has now breached internal AI platforms at two of the Big Three management consulting firms using the same autonomous agent. Both vulnerabilities have since been patched — McKinsey remediated by March 2, BCG within 48 hours of disclosure — but the pattern they expose is instructive for any enterprise deploying AI platforms. After accessing McKinsey’s Lilli platform in early March, the startup disclosed this week that its agent found a similar unauthenticated endpoint on Boston Consulting Group’s X Portal, exposing 3.17 trillion rows across 131 terabytes of data, including workforce analytics on hundreds of millions of individuals, M&A intelligence, and compensation benchmarks.

Both breaches followed the same pattern: publicly exposed API documentation, unauthenticated endpoints that accepted raw database queries, and full read-write access once inside.

McKinsey: 46.5 Million Chat Messages in Two Hours

CodeWall’s agent discovered the McKinsey vulnerability on February 28 and disclosed it on March 1, according to BankInfoSecurity. The agent found publicly accessible API documentation listing over 200 endpoints, 22 of which required no authentication. One of those open endpoints accepted user search queries and fed them into the database without input validation — a textbook SQL injection flaw.

Within two hours, the agent had accessed 46.5 million chat messages covering strategy, M&A, and client engagements; 728,000 files; 57,000 user accounts; and 95 system prompts controlling Lilli’s behavior. The system prompts were writable, meaning an attacker could have altered how Lilli responds to McKinsey’s 40,000-plus users without deploying new code. “No deployment needed. No code change. Just a single UPDATE statement wrapped in a single HTTP call,” CodeWall wrote in its disclosure.

McKinsey patched all exposed endpoints by March 2 and told The Register that a third-party forensics investigation “identified no evidence that client data or client confidential information were accessed by this researcher or any other unauthorized third party.” A McKinsey source told the Financial Times that the underlying files were stored separately and “never at risk.”

Security analyst Edward Kiledjian questioned aspects of CodeWall’s account, writing that while the attack chain was “plausible and technically sound,” the claimed scope of impact was “not fully evidenced.” He also noted that McKinsey’s nine-day remediation window was compressed for full variant analysis.

BCG: 3.17 Trillion Rows, Same Class of Flaw

After the McKinsey disclosure, CodeWall says it fed the response data back into its agent and asked which firm was likely to have similar problems. The agent flagged BCG as a high-priority target. Operating under BCG’s published responsible disclosure guidelines, the agent discovered that BCG’s X Portal — the firm’s analytics and AI platform — exposed 372 API endpoints in public documentation. Most were locked down. One was not: an endpoint that accepted raw SQL queries and returned results with no authentication, no API key, and no session token.

Behind that endpoint sat BCG’s Workforce Analytics data warehouse: 553 million individual position histories with full-text job descriptions and total compensation; 8.7 billion employee joiner/leaver records; 12.8 billion individual skills records; and 7.8 billion compensation benchmarks — 3.17 trillion rows totaling 131.2 terabytes, according to CodeWall’s disclosure. The same endpoint also provided access to 201 billion rows of M&A workforce data, 3 billion consumer purchase receipts, 1.87 billion rows of per-company cloud spending data (individual companies’ AWS, Azure, and GCP costs by service and region), and data on 399 named BCG GAMMA employees mapped to their specific consulting cases.

The service account behind the endpoint held full write privileges, CodeWall said, meaning an attacker could have altered compensation data, M&A intelligence, and the inputs feeding BCG’s client advice. An orphaned AWS S3 storage integration was also exposed — an attacker could have recreated the deleted bucket to intercept data exports.

BCG remediated the vulnerability within 48 hours of disclosure, according to CodeWall. NCT was unable to find an independent media report or public statement from BCG confirming or contesting CodeWall’s account as of publication.

The Pattern for Builders

The two breaches share the same architecture-level failure: an internal AI or analytics platform with API documentation exposed publicly and at least one endpoint that executes database queries without authentication. CodeWall described it directly: “Different firm, different platform, same fundamental mistake.”

Outpost24’s analysis of the McKinsey breach identified two exploitation paths relevant to any enterprise deploying AI agents: data exfiltration through unauthenticated endpoints, and prompt manipulation through writable system prompts stored in accessible databases. Both apply to any organization running an agent-powered platform backed by a database with API access.

The timing is notable. This week has already produced the ClawHavoc supply chain attack on OpenClaw’s skills registry, Anthropic’s accidental leak of 512,000 lines of Claude Code source, and an OpenAI Codex command injection vulnerability that exposed GitHub OAuth tokens. CodeWall’s disclosures add a different vector to the pattern: the agent itself as the attacker, autonomously discovering and exploiting vulnerabilities in enterprise AI infrastructure faster than manual penetration testing teams can operate.

Sources: BankInfoSecurity, The Register, CodeWall McKinsey disclosure, CodeWall BCG disclosure, Outpost24 analysis, Kiledjian analysis