“BIG FOUR” FIRM DELOITTE SYSTEMS HACKED IN MARCH, KEPT NEWS QUIET, TILL NOW
And yet again we have a story of a big, disturbing hack, this time of the systems of Deloitte. Deloitte is a consulting and accounting firm that is included in the world’s “big four,” making this hack especially noteworthy. Of course, we are only now hearing about it as Deloitte itself kept the security incursion quiet since it occurred last March. Hackers successfully accessed data on Deloitte’s corporate and government clients in the United States. That sounds kind of like a big deal. The exposure was the result of one person not using the basic security protocol of two-factor authentication. Oops.
HACKERS GAINED CASUAL ACCESS BY ACQUIRING SINGLE ADMINISTRATOR’S PASSWORD
While we keep hearing of major hacks of important information systems all too often these days, this is especially noteworthy as unlike most hacks which require sophisticated methods, Deloitte was compromised with a single password from an administrator’s email account. Hackers as a result had “access to all areas” of Deloitte’s email system. A review of the breach confirms that hackers targeted data involving major clients. Again, this doesn’t sound good at all.
ONLY SENIOR PARTNERS, LAWYERS INFORMED OF BREACH AFTER OUTSIDERS HIRED TO INVESTIGATE
The full details of the breach are sketchy and Deloitte appears to have taken great pains to keep its investigation, codenamed “Windham,” under wraps. Only senior partners and lawyers were informed when the breach was noticed in March after an outside law firm was brought in to investigate “a possible cybersecurity incident.”
DELOITTE TONES DOWN SCOPE OF HACK DESPITE SIX MONTHS OF SILENCE, FIRST BIG FOUR TO GET HIT
Deloitte insists that only a small fraction of its clients have been “impacted” by the breach. So far, six clients have been notified that the hackers were able to access “usernames, passwords, IP addresses, architectural diagrams for businesses and health information,” and in some cases sensitive security information. In total, the system reportedly stored emails from 244,000 staff members on Microsoft’s Azure cloud.
HACK COULD HAVE BEEN EASILY AVOIDED HAD BASIC PRECAUTIONS BEEN APPLIED
Reporters reached out to Deloitte for further information and a spokesperson had this to say:
Deloitte’s response to the cyber incident included the following:
- Implementing its comprehensive security protocol and initiating an intensive and thorough review which included mobilizing a team of cyber-security and confidentiality experts inside and outside of Deloitte;
- Contacting governmental authorities immediately after it became aware of the incident; and,
- Contacting each of the very few clients impacted
The attacker accessed data from an email platform. The review of that platform is complete.
Importantly, the review enabled us to understand precisely what information was at risk and what the hacker actually did and to determine that:
- Only very few clients were impacted
- No disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers
For Deloitte, this is particularly embarrassing because—among many other services—the multinational firm runs a “CyberIntelligence Centre” that advises clients on how to “swiftly and effectively mitigate risk and strengthen your cyber resilience.” In 2012, research and advisory firm Gartner named Deloitte the best cybersecurity consultant in the world. As is so often the case, you can have the most fool-proof security operations around, but if some fool doesn’t use two-factor authentication, you’re a sitting duck. The other Big Four firms are laughing their way home.