Accountancy giant Deloitte has been the victim of a cyber-attack that has compromised its global clients’ confidential emails and intellectual property.
The attack went unnoticed for months, sources said, and has impacted some of the largest organizations in the world, including multinational banks and media companies, Big Pharma and government entities.
Sources told the Guardian that the compromise was the result of privileged access: The attackers made their way into the company’s global email server by way of a hacked administrator account (that lacked two-factor authentication), sometime last October or November, and stayed there, collecting info on blue-chip clients, until Deloitte discovered the breach in March 2017.
The sources said that the attackers had access to around 5 million emails sent to and from Deloitte’s 244,000 staff during the time period, and that they were able to capture user names, passwords and in some cases intellectual property from email attachments, like architectural diagrams.
Ironically, cybersecurity consulting is one of Deloitte’s lines of business—and the primacy of email should have been understood, at least one expert told Infosecurity.
“Deloitte is one of the largest consulting firms in the world that regularly advises its clients on cybersecurity matters, including strong guidance around information governance,” said Richard Stiennon, chief strategy officer of Blancco Technology Group, via email. “Their own experience with a simplistic breach of their Microsoft 365 infrastructure through an easy to access administrator account highlights how easy it is to overlook critical information stores. Email is the life blood of most modern companies. Practically all information eventually flows through email. Secure policy reviews, audit logs, legal matters and financials are freely shared and discussed on email. In Deloitte's case, this included confidential client information.”
Sources also said that in late April, it hired law firm Hogan Lovells to review “a possible cybersecurity incident”, in tandem with the firm’s own internal review, which it code-named Windham.
For its part, Deloitte has confirmed it had been the victim of a hack but downplayed the impact or reach of the incident.
“As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators,” the company told the paper. “The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.”
While information is scant and Deloitte has yet to confirm specific details of what happened, experts said that the compromise of a global email server should be a wake-up call for corporations to, at a minimum, have two-step authentication in place for privileged accounts.
"Deloitte is a ripe target because of the company's position right at the top of the corporate food chain,” said Tony Pepper, co-founder and CEO of Egress. “They work with some of the biggest organizations on Earth, at the very highest level, which is like a red rag to a bull for hackers.”
He added, "Whilst it hasn't been confirmed exactly what was stolen, compromised mail servers can be a good source of sensitive information for an attacker, allowing them to siphon off message content and attachments. This is why multi-factor access control such as two-factor authentication is important, especially for admins. It makes it much harder to gain illicit access in the first place, and provides a warning if someone is trying to log in without your knowledge.”
This is just the latest in a line of high-profile breaches in the global business and finance sector, following the Equifax and SEC breaches. Preventing such occurrences comes down to a multi-layered approach to data protection.
“A complete data governance regime should put email at the top of concerns,” Stiennon said. “While health records, financials and PII usually are considered first, it must be acknowledged that all of that critical information passes through email too. Email should be first protected against unauthorized access. But it’s just as important to manage the content. One critical control is encryption so email exchanges cannot be read without the participants' keys. Another is to regularly scrub emails wherever they reside. This can be based on a simple time horizon (securely erase anything older than a certain amount of years), or it could be fine-tuned to include types of emails or particular content.”
Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/