One of the “big four” accountancy and consulting firms, Deloitte, has admitted one of its systems has been breached. The breach was detected in March but has only just become public. Attackers were able to access email and see all emails between Deloitte and its customers. Deloitte says that it has used the time between the breach and public announcement to review and remediate the system. It also claims that very few customers were affected and it has contacted and spoken to them.
Six months is a very long time for any breach to be kept quiet. In a statement Deloitte says it contacted regulators immediately. It is likely, therefore, that the only reason for the public acknowledgement now is that the breach was reported by the Guardian.
What do we know about the breach?
Not a lot outside of the Guardian article. In that article it reports that its sources told it: The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.
To make matters worse it appears that: The account required only a single password and did not have “two-step“ verification. While security companies have been quick to jump on this latter comment it is not unusual. The use of two-step or multi-factor authentication is still not the norm across organisations especially for administration of email systems.
Although the breach is US focused, the Guardian reports that the email system is used by all 244,000 Deloitte staff worldwide. There were over 5 million emails that the hackers could have accessed. Deloitte has told the Guardian the number of at risk emails were only a fraction of this number.
How it has established that is not clear. It has had time now to trawl through the attack. This may show exactly what was accessed. However, this was a compromised administrator attack which implies the whole system and every email in it was at risk.
The period of time that the attack has gone on for is also not public. The Deloitte press office has declined to respond to an email from ET asking for more details about this. The longer the attackers had access to the system the more data they will have gathered. Taking the Deloitte statement at face value, that only a small number of emails were affected, suggests something other than a simple attack.
It could be that the attackers were focused on a specific set of customers or projects. This would explain the small number and why Deloitte took so long to go public. It would also mean that there was ample opportunity for the attackers to launch other attacks using the Deloitte system.
The Deloitte statement
Deloitte has issued a press release containing its response to the news of the breach. Strangely, it can only be found by setting location to Worldwide. The statement is not carried on the country websites. It says:
In response to a cyber incident, Deloitte actions have included the following:
Implementing its comprehensive security protocol and initiating an intensive and thorough review which included mobilizing a team of cyber-security and confidentiality experts inside and outside of Deloitte
Contacting governmental authorities immediately after it became aware of the incident; and
Contacting each of the very few clients impacted
The attacker accessed data from an email platform. The review of that platform is complete.
Importantly, the review enabled us to understand precisely what information was at risk and what the hacker actually did and to determine that:
Only very few clients were impacted
No disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers
Deloitte remains deeply committed to ensuring that its cyber-security defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security.
Security vendors queuing up to criticise Deloitte
As usual in this type of incident there is no end to the amount of comment being offered by security vendors. At last count, ET had received over 22 emails from different PR agencies on behalf of their clients. Some of those comments include:
Kenneth Geers, senior research scientist, Comodo, NATO CCD COE (Cyber Centre) Ambassador and former NSA analyst: “Above all, professional hackers want to compromise strategic sites that yield exponential rewards. In a hack of this scale, criminals or spies will continue to reap dividends years down the road. The attack has gone on for at least six months, so the hackers may have been able to cover their tracks and/or install backdoors for future use.
“Only a foreign intelligence service could successfully absorb this much information; a cybercriminal group will have to sell the data so it can be repurposed. If the attack were primarily U.S.-focused, it could be that a foreign intelligence service was responsible. The irony is that Deloitte must have a first-class cybersecurity staff – and yet still was hacked.”
Richard Stiennon, Chief Strategy Officer at Blancco Technology Group: “Deloitte is one of the largest consulting firms in the world that regularly advises its clients on cybersecurity matters, including strong guidance around information governance. Their own experience with a simplistic breach of their Microsoft 365 infrastructure through an easy to access administrator account highlights how easy it is to overlook critical information stores.
“Email is the life blood of most modern companies. Practically all information eventually flows through email. Secure policy reviews, audit logs, legal matters and financials are freely shared and discussed on email. In Deloitte’s case, this included confidential client information.”
Sam Curry, CSO for Cybereason: “While news of the Deloitte breach is just surfacing I caution everyone not to cast stones because no one really has specific details of what happened unless they work at Deloitte or for their security consultants.
“However, if the report about Deloitte’s global email server being compromised is true and if access was gained through an “administrator’s account” that, in theory, gave hackers unrestricted “access to all areas’ of the network, then this is a wake-up call for corporations to at a minimum have two-step authentication in place as opposed to a single password. Naturally, there could be much more to this; and time will help us all understand the lessons to be learned in security operations and, hopefully, in transparency, respect for privacy and crisis communications.”
What does this mean
For a company that reported revenue of $38.8 billion (approx £29.5 million) this is embarrassing. As many of the emails from industry sources have pointed out, Deloitte has an very active cybersecurity consultancy. At the very least, those on site consultants will be squirming and some customers may be looking for a review of the advice they have been sold. One thing that every Deloitte consultant will have written down is multi-factor authentication. Expect to see this as a key security measure for their customers.
The most worrying thing for the company will be the risk of long-term damage. While it is playing down the number of customers and data compromised, the question will be have they caught it all. The comment from Geers around backdoors and other attacks left behind is particularly relevant. It would be a surprise if the attackers hadn’t attempt to do this.
It is easy to criticise Deloitte for the failure to have stronger protection on a core system. However, as Curry points out, throwing stones is a dangerous game. Email is one of those systems taken for granted. It is likely that many companies are in the same risk position as Deloitte. If there is one thing to take away from this it is a review of security across all systems irrespective of what they are.
IT departments also need to realise that adding two factor authentication is not just for users but for themselves as well, especially administrator accounts. Any department in fact that has global access to data or systems should consider the implications of this attack. As Dan Jeavons, GM of Advanced Analytics CoE at Shell pointed out in a recent podcast, “Data security is one of the biggest challenge that analytics teams face.”