For months, the systems of Deloitte, a consulting and accounting firm that ranks among the world’s “big four,” were compromised and hardly anyone knew it. According to the Guardian, the breach has been kept under wraps since it was noticed by administrators in March. The attackers were able to access information from Deloitte’s major corporate and government clients in the US—all because, it appears, someone didn’t use two-factor authentication.
Lately it seems like a sophisticated hack is deployed against a major target with troves of sensitive data on a weekly basis. But in Deloitte’s case, the hackers reportedly just needed to acquire a single password from an administrator of the firm’s email accounts. The Guardian reports that the intruders had “access to all areas” of the email system. Internal investigators say they’ve been able to follow an electronic trail that shows major clients were the point of interest.
The full details of the breach are sketchy and Deloitte appears to have taken great pains to keep its investigation, codenamed “Windham,” under wraps. Only senior partners and lawyers were informed when the breach was noticed in March after an outside law firm was brought in to investigate “a possible cybersecurity incident.”
Deloitte insists that only a small fraction of its clients have been “impacted” by the breach. So far, six clients have been notified that the hackers were able to access “usernames, passwords, IP addresses, architectural diagrams for businesses and health information,” and in some cases sensitive security information. In total, the system reportedly stored emails from 244,000 staff members on Microsoft’s Azure cloud.
Gizmodo reached out to Deloitte for further information and a spokesperson had this to say:
Deloitte’s response to the cyber incident included the following:
· Implementing its comprehensive security protocol and initiating an intensive and thorough review which included mobilizing a team of cyber-security and confidentiality experts inside and outside of Deloitte;
· Contacting governmental authorities immediately after it became aware of the incident; and,
· Contacting each of the very few clients impacted
The attacker accessed data from an email platform. The review of that platform is complete.
Importantly, the review enabled us to understand precisely what information was at risk and what the hacker actually did and to determine that:
· Only very few clients were impacted
· No disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers
For Deloitte, this is particularly embarrassing because—among many other services—the multinational firm runs a “CyberIntelligence Centre” that advises clients on how to “swiftly and effectively mitigate risk and strengthen your cyber resilience.” In 2012, research and advisory firm Gartner named Deloitte the best cybersecurity consultant in the world. As is so often the case, you can have the most fool-proof security operations around, but if some fool doesn’t use two-factor authentication, you’re a sitting duck.