Another day, another major hacking.
The Guardian reports that in the latest corporate cyber breach, one of the world’s “big four” accounting and consultancy firms, Deloitte, was been targeted by a sophisticated hack that “compromised the confidential emails and plans of some of its blue-chip clients.” And just like Equifax, New York-headquartered Deloitte was similarly the victim of a cybersecurity attack that went unnoticed for months. The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016.
Responding to questions from the Guardian, Deloitte confirmed it had been the victim of a hack but insisted only a small number of its clients had been “impacted”. It would not be drawn on how many of its clients had data made potentially vulnerable by the breach. Alas, the company has yet to provide a full disclosure of just who and which clients were violated: an estimated 5 million emails were in the hacked email cloud and could have been been accessed by the hackers. Deloitte said the number of emails that were at risk was a fraction of this number but declined to elaborate.
While unlike Equifax Deloite is not a public public company and is not accountable to countless shareholders, with $37 billion in revenue last year and over 263,000 worldwide employees, Deloitte is a corporate behemoth which provides auditing, tax consultancy and – like Equifax – high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies. Here the Guardian reports that Deloitte clients “across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments.”So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.
The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.
Embarrassingly, the administrator level hack required only a single password and did not have “two-step“ verification, much like Deloitte and other companies strongly urge everyone to do.
Penetrating the unknown number of emails involved breaching the Microsoft cloud used the by the company. Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft. This is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.
In addition to emails, the Guardian adds the hackers had “potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details.”
Until today’s report, the hack had been disclosed to the public: the breach, which was US-focused, was regarded as so sensitive that only a handful of Deloitte’s most senior partners and lawyers were informed.…
Of course, as noted above, the breach is a deep embarrassment for Deloitte, which offers clients advice on how to manage the risks posed by sophisticated cybersecurity attacks. If only the company had followed its own advice. Even more awkward, in 2012 Deloitte was ranked the best cybersecurity consultant in the world and has a “CyberIntelligence Centre” to provide clients with “round-the-clock business focussed operational security.” It is unclear if that unit was also hacked.
While we await an official statement from Deloitte, what comes next is lots of lawsuits and even more settlements. According to the Guardian, on 27 April Deloitte hired US law firm Hogan Lovells on “special assignment” to review what it called “a possible cybersecurity incident”. The Washington-based firm has been retained to provide “legal advice and assistance to Deloitte LLP, the Deloitte Central Entities and other Deloitte Entities” about the potential fallout from the hack.
Full article: Massive Hack At Deloitte: Entire Internal Email System Compromised, Client Emails Exposed (ZeroHedge)