This week, news has emerged about a serious Deloitte data breach that allegedly resulted in ‘several gigabytes’ of sensitive emails sent to and from the accountancy firm’s clients being obtained by hackers.
Deloitte is one of the big four accountancy firms and provides auditing and tax consultancy services to some of the world’s biggest companies, including many banks, pharmaceutical firms, and government agencies. Deloitte also offers cybersecurity consultancy services and is one of the most widely respected firms, and was rated as the top cybersecurity consultancy firm in the world in 2012.
According to a report in The Guardian, the Deloitte data breach was detected in March, but was only announced this week. Hackers are believed to have access to the firm’s Azure cloud account for months, with the initial breach believed to have occurred in October last year. The Azure account was used to store company emails.
Access to the cloud was gained by hacking an administrator account, which was protected with a password, although allegedly did not have two-factor authentication in place.
Deloitte has confirmed it has suffered a data breach, although few details have been released about the nature of the breach other than Deloitte saying only a small number of its clients have been impacted. Deloitte also issued a statement saying, “no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.” The Guardian reported that just six of the company’s clients had been impacted, although Deloitte has not publicly confirmed how many clients were notified of the breach.
Deloitte hired a leading cybersecurity firm to perform a forensic analysis to determine the actions taken by the attacker(s), which information was accessed, and what clients were impacted. That analysis revealed the types of information compromised included email communications including file attachments, architectural diagrams for its clients, health information, and in some cases, sensitive security and design details. Usernames, passwords, IP addresses, and personal data of the firm’s clients were also believed to have been obtained by the attacker(s).
The cloud account allegedly contained as many as 5 million emails, although Deloitte believes only a small percentage of those emails were accessed during the time the attacker(s) had access to the account. While that is the official line, some sources close to the investigation suggest the Deloitte data breach is being downplayed. Brian Krebs wrote in a blog post that he has been informed that the attackers gained access to the firm’s entire store of emails and that all administrator accounts at the company had been compromised.
That source also said Deloitte performed a company-wide reset of its email passwords on October 17, 2016, suggesting a potential breach was suspected at the time. The source, who was close to the investigation, said several gigabytes of data had been exfiltrated from the cloud account to a server in the United Kingdom.