Deloitte Hacked: What We Know Now

As first reported by The Guardian, ‘big four’ consulting firm Deloitte is the newest victim of a data breach. Deloitte discovered the hack in March, but it’s believed the attackers may have had access to its systems for several months prior. The hacker compromised the firm’s global email server through an “administrator’s account”. The Guardian was told an estimated 5m emails were in the ”cloud” and could have been been accessed by the hackers. Deloitte said the number of emails that were at risk was a fraction of this number but declined to elaborate.
Deloitte Hacked: What We Know Now

Much like folks didn’t hesitate to note the music-major-background of the chief security officer at Equifax, many have noted that one of Deloitte’s service offerings is Cyber Risk services, and the umbrella Risk Advisory business was the fastest growing in terms of revenue for Deloitte in FY 2017. The fact that Gartner has rated Deloitte #1 in Security Consulting for 5 years hasn’t gone unremarked either.

Most security experts would agree that no organization is perfectly secure from cyber attacks. As Deloitte itself advises: “Any organization with information worth stealing is a target—no one is immune. It is not an “if” you are hacked, it’s a “when” you are hacked.”

What Deloitte Has Said About the Data Breach

On September 25, Deloitte released a statement that included the following points:

  • The attacker accessed data from an email platform. The review of that platform is complete.
  • Only very few clients were impacted
  • No disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers

In addition, Deloitte indicated they had contacted governmental authorities immediately after becoming aware of the incident; and said they contacted each of the very few clients impacted.

What the Experts Are Saying About the Deloitte Cyber Attack

Overlooking fundamental best practices and the importance of monitoring: Javvad Malik, security advocate at AlienVault, said the incident demonstrated that even the largest of organisations could sometimes overlook fundamental security practices such as not enabling two-factor authentication on administrative accounts. “It also highlights the importance of ongoing monitoring and threat detection so that any malicious activity can be detected and responded to in a timely manner,” he said.

Details from an insider: Information was shared with KrebsOnSecurity by a person with direct knowledge of the incident: “It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”

The Register summarizes more security risks: The publication compiled findings from many security researchers that highlight potential additional vulnerabilities at Deloitte.

Ramifications for Deloitte consultants and customers: On site consultants will be squirming and some customers may be looking for a review of the advice they have been sold. One thing that every Deloitte consultant will have written down is multi-factor authentication.

Security has morphed into responsibility: Sue Marquette Poremba talks with Scott Baker, senior director, Emerging Business Portfolio with Hitachi Data Systems. “Security, Baker says, has morphed into responsibility. Looking at some of the most recent breaches, I can see where companies offer security, but they don’t take responsibility for the data customers and employees have entrusted to them.”

One attack with many potential targets: “Deloitte’s customers were relaying non-public information, which could have been used to facilitate ‘competitive intelligence,’ or front-run the merger or acquisition strategy of the victim, or conduct digital insider trading,” said Tom Kellermann, CEO of Strategic Cyber Ventures. “Implicit trust is given to companies like Deloitte vis-a-vis their capacity to secure sensitive data, and by breaching an entity like them you can island-hop into her constituency.”

The danger of desensitization: Forbes asks: Are The Equifax, SEC And Deloitte Cyber security Breaches Desensitizing Society To This Threat?

Marianna Noll

Marianna Noll

Marianna Noll is a Maryland-based writer with an interest in the impact that technology has on organizations and users. She writes about software, user adoption and engagement with software, and IT security.

You may also like...

2 Responses

  1. October 6, 2017

    […] Deloitte may be one of the ‘big four’ consulting firms, their recent data breach provides several lessons learned for small businesses. Let’s take a look at the details of this […]

  2. November 22, 2017

    […] year for consumers and businesses alike in relation to data breaches. From the Equifax, Yahoo and Deloitte data breach and the NotPetya and WannaCry malware attacks, there wasn’t much room left for […]

Leave a Reply

Your email address will not be published. Required fields are marked *