Deloitte, one of the world’s leading accountancy firms, was hit by a destructive cyber-attack in November last year that compromised secret client emails and other records.
Deloitte is conducting an internal inquiry into the data breach but hasn’t disclosed how much data was breached following the cyber-attack.
When and how did the breach occur?
First revealed by The Guardian, Deloitte’s systems in the United States were probably breached between October and November of last year but the firm discovered it as late as in March of this year.
Hackers behind the breach found their way in by breaching an “administrator’s account” that required a single password to unlock. Once they unlocked the account, they not only accessed sensitive emails from the company’s clients, but also accessed ‘usernames, passwords, IP addresses, architectural diagrams for businesses and health information’.
Hackers were also able to access emails sent and received by 244,000 Deloitte employees. These emails were stored in the Azure cloud service offered by Microsoft.
What is Deloitte doing about it?
Even though the firm is yet to establish the identity of the hackers or the motive behind the data breach, it is conducting a comprehensive internal inquiry into the incident. It also hired a law firm Hogan Lovells for assistance in reviewing a ‘possible cybersecurity incident’ in April.
“In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte. As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators,” said a Deloitte spokesman.
“The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.
“We remain deeply committed to ensuring that our cybersecurity defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter and take additional steps as required,” he added.
Incidentally, Deloitte is one of the world’s leading advisors to governments, Fortune 500 firms and other organisations on cyber security. The firm’s CyberIntelligence Centre offers round-the-clock business-focussed operational security and it also helps clients in implementing cyber security best practices to minimise the impact on business.
Even though The Guardian has been told that over 5 million internal and client emails were compromised by the hack, Deloitte suggests that the real number is much lower. In fact, the firm claims that data accessed by the hackers will in no way impact the company’s business or impact its cyber security.
The real cause
Even though Deloitte is yet to come up with a comprehensive disclosure of the data breach unlike Equifax, what is known is that the breach occurred due to weak password protection in an admin account that enabled hackers to access mountains of data that contained sensitive corporate secrets and details about a number of organisations from across the world.
“The number one greatest cyber threat to a business is their very own employees. Critical data is more accessible via mobile devices in our 24/7-connected, device-filled world,’ said Darren Guccione, CEO and Co-founder of Keeper Security, Inc.
‘Poor password policies, the rise of mobile-targeted attacks and the influx of Internet of Things devices in the workplace is a recipe for disaster. The best way to reduce these risks is through software that can lock an employee’s device and at the same time, protect their passwords and other sensitive digital assets via a ubiquitous digital vault,’ he added.
In a survey of more than 1,000 IT professionals conducted by Keeper Security, 54% of respondents said negligent employees were the root cause of a data breach. While only 43% of them have a password policy in place, 59% of respondents say they do not have visibility into their employees’ password practices.
Were more systems breached than Deloitte is letting us on?
While Deloitte has told KrebsOnSecurity that the breach impacted very few clients and that no disruption has occurred to client businesses, the company’s operations or consumers, an anonymous Deloitte insider has told the firm that Deloitte ‘does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.’
It is believed that the hackers enjoyed a free reign on Deloitte’s servers for a long time. In fact, those investigating the data breach aren’t sure yet if they have been able to evict the hackers who breached Deloitte’s systems last November, or how much data was actually taken by the hackers.
However, forensic investigators have been able to identify several chunks of data that were exfiltrated by the hackers to a server in the UK.
“I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients,” the source told KrebsOnSecurity.