Big Four accountancy firm Deloitte is the latest target of a high-profile data breach, one some analysts are calling an “embarrassment” for a company known for its corporate cybersecurity expertise.
Reports in The Guardian on Monday (Sept. 25) first highlighted the attack, which led to the compromise of sensitive corporate data like the emails and company plans of several of its clients. That clients list includes “some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies,” according to the publication.
The Guardian said the hack was first discovered in March of this year, but noted Deloitte’s systems may have been compromised starting as early as October 2016. Six of the accountancy and consulting company’s clients have so far been notified that their information was “impacted” by the breach, while Deloitte is reportedly continuing its internal investigation into the matter.
Details Of The Breach
According to unnamed sources, cybersecurity attackers targeted Deloitte’s email server through an “administrator’s account” that is said to have given them unrestricted access to the rest of the system. Deloitte’s email server is based on Microsoft’s Azure cloud platform, and, according to reports, the server currently stores 5 million emails for Deloitte.
The administrator’s account required only a single password, not two-factor authentication (2FA), to gain access to the rest of the email server, reports added. The Guardian described the incident as a “deep embarrassment” for Deloitte, which itself provides cybersecurity services to its clients.
Analysts for Gizmodo also highlighted the simplistic nature of the cybersecurity breach.
“The attackers were able to access information from Deloitte’ major corporate and government clients in the U.S. — all because, it appears, someone didn’t use two-factor authentication,” the publication wrote.
Deloitte was ranked best cybersecurity consultant in the world in 2012 by technology research firm Gartner.
Reports in The Guardian said cyberattackers may have gained access to usernames and passwords, IP addresses, health information, corporate diagrams and other data from Deloitte clients. The impact on emails also compromised email attachments, many of which contained sensitive company information.
Reports said the cyberattack likely targeted Deloitte’s U.S. operations. The company is based in London but remains one of the largest private firms in the U.S., according to the article, noting the firm posted $37 billion in revenues last year. Who the cyberattackers are, and their motive, remains unknown.
Deloitte’s Response
Unnamed sources told The Guardian an internal probe of the matter could be codenamed “Windham.” Cybersecurity experts are so far looking to “map out” exactly where the breach occurred and how it progressed throughout the company. The team conducting the probe is reportedly based in Virginia. Deloitte reportedly hired international law firm Hogan Lovells in late April for a “special assignment” regarding “a possible cybersecurity incident.”
In a statement to CNBC, the firm said its review of the email server was complete.
In another statement, Deloitte told The Guardian that, while it was true it was the victim of a cyberattack, only a small number of its clients were “impacted” by the event. The company did not clarify exactly how many of its customers were affected.
“In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review, including mobilizing a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a spokesperson for the company told the publication. “As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.”
“The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients or to consumers,” the spokesperson continued. “We remain deeply committed to ensuring that our cybersecurity defenses are best-in-class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter and take additional steps as required. Our review enabled us to determine what the hacker did and what information was at risk as a result. That amount is a very small fraction of the amount that has been suggested.”
Deloitte did not reveal which companies and government entities were affected by the hack, but said only six clients were notified of impacted information. It is unclear whether an ongoing internal investigation into the matter will result in revelations of more clients affected.