Deloitte cyberattack: Firm’s security was like “putting a £10 padlock around the Crown Jewels”
Another week, another report of a major cyberattack hitting a global firm.
Following on from an attack which exposed millions of Equifax customer details earlier this month, The Guardian is reporting Deloitte has been similarly targeted by an especially sophisticated hack.
It is believed confidential emails and plans of Deloitte’s blue-chip clients have been exposed in an attack that went unnoticed for months. Reports suggest Deloitte learned of the breach in March, but its systems could have been vulnerable since October 2016.
A hacker, or group of hackers, was able to break into Deloitte’s systems by reportedly compromising an email server via an “administrator’s account”. This would have given the attackers full access to the company, and such accounts typically have two-factor authentication enabled. It is only believed to be impacting US clients, but the precise number is not known.
Given its range of clients, analysts and security experts are speculating that the data could contain anything from details of “upcoming IPOs to government redundancy programmes.”
Deloitte, one of the world’s largest private accountancy firms recently named the best cybersecurity consultant in the world, manages clients such as banks, publishers as well as government agencies and it is thought companies spanning the full range of Deloitte’s clients could be at risk. It said only a small number of its clients had been affected, and all those impacted have been notified by Deloitte’s lawyers.
Ironically, Deloitte advises many people and organisations, from governments to industry giants, on cybersecurity so this breach is especially embarrassing.
A spokesperson told Alphr Deloitte implemented its “comprehensive security protocol” and initiated an “intensive and thorough review” which included using a team of cybersecurity and confidentiality experts inside and outside of Deloitte to contact authorities after it became aware of the incident as well as inform the “very few clients impacted.
They added that “Deloitte remains deeply committed to ensuring that its cybersecurity defences are best in class; to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity.”
SecureData’s CTO Etienne Greef believes this is just tip of the iceberg: “What I find incredible is that Deloitte, rightly a bastion of the “Passwords are Dead” Brigade, were caught out by someone using a domain administrator account to get into their global mail server. For a company who have recommended two-factor authentication for so long in so many of their own security reports, you would have thought they would implement it themselves.”
Greef continued that given Deloitte’s privileged position, “they should really have had the foresight to spend far more money on their cyber defences, and just plain basic security, than they evidently have.”
“The sheer value of, and the potential social effects of, the information that may have been compromised here is unfathomable to the average person. Here Deloitte has shown they did not invest nearly enough in their own cybersecurity. They have essentially spent £10 on a padlock to protect the Crown Jewels.”
This is the latest in a long line of companies that have suffered embarrassing, and in some cases damaging, attacks in recent months. The most recent, of course, being Equifax. Earlier this month, the credit monitoring firm said details of more than 143 million people (including 400,000 UK citizens) had been exposed following “unauthorised access” to its systems.
In a statement revealing the breach, Equifax said: “Criminals exploited a US website application vulnerability to gain access to certain files.”
A week or so later, CCleaner, an app used by millions to optimise computer performance, was hit by a malware attack. It’s thought the latest version of the app infects PCs, making them part of a botnet; slave computers that hackers can use at will to direct traffic for malicious purposes.
According to security investigators Cisco Talos, a version of CCleaner 5.33 downloaded in August included hidden malware. But owner Avast Piriform says it prevented the breach harming customers.
This latest Deloitte cyberattack comes off the back of comments made by technical director Ian Levy, from GCHQ’s National Cyber Security Centre who warned an unprecedented cyberattack will hit in the next few years.
Speaking at an event hosted by security software company Symantec, Ian Levy said he was “reasonably confident” a major attack will happen, and organisations should be prepared. He added that he expects the initial reaction to a category-one attack to be assertions that nothing could be done to stop it, but that an independent investigation will show that the attack was entirely preventable. Much of the blame, he said, should be levelled at organisations that don’t understand the data they have, and try to outsource their risk to firms that only mystify the process of cybersecurity.