Deloitte Email Breach, Cybersecurity Attack Undisclosed Publicly for Months

Deloitte, which ranks among the world's Top 100 Managed Security Services Providers for 2017, was hit by a major email system breach it reportedly discovered last March but kept publicly under wraps. Intruders may have been inside its network as far back as October or November, 2016, the Guardian first reported earlier today.

Updated October 10, 2017: The hack may have been far larger than originally reported -- potentially including communications with 350 customers, the Guardian now says.

Hackers are thought to have made away with confidential emails and strategic documents belonging to some of the $37 billion consultant’s top clients spanning banks, media organizations, multinational corporations and government agencies, the report said. So far, nobody is publicly suggesting who may be behind the theft but the likely suspects range from an individual to a competitor to a state-sponsored actor.

Deloitte said today that the break-in affected “only a very few clients,” based on an internal review of its systems, Reuters reported. However, as many as five million Deloitte emails were stored in the cloud and perhaps vulnerable to the hack, the Guardian said. The accounting firm has not revealed the clients involved in the caper.

“No disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers,” the company said. Still, as cybersecurity attack history is repeatedly showing us, the fallout from these types of things tends to scattershot wider than at first glance. We’ll keep you updated as Deloitte assesses the damage.

Deloitte Email Breach

Here’s what else you need to know (via the Guardian):

  • Only a few of Deloitte’s most senior partners and lawyers knew about the breach, which is thought to have been launched in the U.S.
  • Attackers stole materials in Deloitte’s email system belonging to “household name” clients and U.S. government departments. The goods may have included usernames, passwords, IP addresses, architectural diagrams for businesses, health information and confidential security and design details.
  • Deloitte has briefed six of its clients whose information apparently has been “impacted,” a word increasingly used as a synonym for “stolen” in these cases.
  • The hacker(s) broke into Deloitte’s global email server through an administrator’s account that likely granted them privileged, unrestricted access. The account required only a single password and lacked “two-step“ verification, according to the Guardian’s sources.
  • An internal inquiry, code-named Windham, is trying to trace the attackers’ trail inside Deloitte’s network. Analysts have been examining documents that may have been compromised for about six months.
  • In late April, Deloitte hired Hogan Lovells, a law firm, to look into the possible repercussions from the attack.

Cybersecurity Expert and MSSP Reaction

Reaction about the hack is pouring in from the cybersecurity sector. “Deloitte is perhaps one of the more cyber-savvy organizations. Unfortunately, the myriad of different ways in which an enterprise may be breached is very large, and even a robust investment in traditional security technologies and incident response is not enough,” said Gaurav Banga, Balbix founder and CEO, in an email to MSSP Alert.

Rich Campagna, CEO, Bitglass, points to the need to move beyond static passwords. Dynamic identity management solutions that can detect potential intrusions, require multi-factor authentication, and integrate with existing systems for managing user access can be much more effective than basic password protection, he noted.

The MSSP sector has also weighed in.  John Christly, global CISO at Netsurion (a provider of managed security services for multi-location businesses) and EventTracker (a SIEM company) pointed to growing risks in the financial sector.

"The financial sector is getting an unprecedented wake-up call in case any had grown complacent – with targets in just a matter of weeks being one of the ‘big four’ accountancy firms, one of the ‘big three’ credit monitoring agencies, and the U.S. Securities and Exchange Commission," he noted.

As it the case with any data breach, vigilant monitoring, effective threat and anomaly detection, and rapid response is a must, he added. Pushing beyond two-factor authentication, Christly called for a policy of ‘least privilege’ and rigorous patching.

Deloitte ranks among the world's Top 100 MSSPs, according to MSSP Alert research that will debut on Thursday, September 28, 2017.

Additional reporting by Joe Panettieri.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.