As first reported by The Guardian, ‘big four’ consulting firm Deloitte is the newest victim of a data breach. Deloitte discovered the hack in March, but it’s believed the attackers may have had access to its systems for several months prior. The hacker compromised the firm’s global email server through an “administrator’s account”. The Guardian was told an estimated 5m emails were in the ”cloud” and could have been been accessed by the hackers. Deloitte said the number of emails that were at risk was a fraction of this number but declined to elaborate.
Much like folks didn’t hesitate to note the music-major-background of the chief security officer at Equifax, many have noted that one of Deloitte’s service offerings is Cyber Risk services, and the umbrella Risk Advisory business was the fastest growing in terms of revenue for Deloitte in FY 2017. The fact that Gartner has rated Deloitte #1 in Security Consulting for 5 years hasn’t gone unremarked either.
Most security experts would agree that no organization is perfectly secure from cyber attacks. As Deloitte itself advises: “Any organization with information worth stealing is a target—no one is immune. It is not an “if” you are hacked, it’s a “when” you are hacked.”
What Deloitte Has Said About the Data Breach
On September 25, Deloitte released a statement that included the following points:
- The attacker accessed data from an email platform. The review of that platform is complete.
- Only very few clients were impacted
- No disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers
In addition, Deloitte indicated they had contacted governmental authorities immediately after becoming aware of the incident; and said they contacted each of the very few clients impacted.
What the Experts Are Saying About the Deloitte Cyber Attack
Overlooking fundamental best practices and the importance of monitoring: Javvad Malik, security advocate at AlienVault, said the incident demonstrated that even the largest of organisations could sometimes overlook fundamental security practices such as not enabling two-factor authentication on administrative accounts. “It also highlights the importance of ongoing monitoring and threat detection so that any malicious activity can be detected and responded to in a timely manner,” he said.
Details from an insider: Information was shared with KrebsOnSecurity by a person with direct knowledge of the incident: “It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”
The Register summarizes more security risks: The publication compiled findings from many security researchers that highlight potential additional vulnerabilities at Deloitte.
Ramifications for Deloitte consultants and customers: On site consultants will be squirming and some customers may be looking for a review of the advice they have been sold. One thing that every Deloitte consultant will have written down is multi-factor authentication.
Security has morphed into responsibility: Sue Marquette Poremba talks with Scott Baker, senior director, Emerging Business Portfolio with Hitachi Data Systems. “Security, Baker says, has morphed into responsibility. Looking at some of the most recent breaches, I can see where companies offer security, but they don’t take responsibility for the data customers and employees have entrusted to them.”
One attack with many potential targets: “Deloitte’s customers were relaying non-public information, which could have been used to facilitate ‘competitive intelligence,’ or front-run the merger or acquisition strategy of the victim, or conduct digital insider trading,” said Tom Kellermann, CEO of Strategic Cyber Ventures. “Implicit trust is given to companies like Deloitte vis-a-vis their capacity to secure sensitive data, and by breaching an entity like them you can island-hop into her constituency.”
The danger of desensitization: Forbes asks: Are The Equifax, SEC And Deloitte Cyber security Breaches Desensitizing Society To This Threat?