The email system of accounting giant and professional services firm Deloitte was breached last year, giving unknown actors access to some of its clients' sensitive communications, data, and internal documentation.
That the New York-based company is considered among the premier firms specializing in cybersecurity consulting makes the breach all the more embarrassing and perhaps damaging to Deloitte's brand.
The Guardian broke news of the breach on Monday, reporting that Deloitte first became aware of the security incident last March – although the perpetrators may have had access to the server as far as back as October or November 2016.
In a statement supplied to the press, including SC Media, Deloitte acknowledged that an attacker “accessed data from an email platform.” According to The Guardian, this platform runs on the Microsoft Azure cloud-computing service, which Deloitte used to store not only emails, but also usernames, passwords, IP addresses, architectural diagrams, health information, and sensitive security and design details.
Following a review of the platform, Deloitte determined that “only very few clients were impacted,” and that “no disruption has occurred to client businesses, to Deloitte's ability to continue to service clients, or to consumers,” the company asserted in its statement.
The firm says it has already contacted each of the affected companies. According to The Guardian, six clients have so far been notified – possibly, but not necessarily, including major banks, multinational companies, media enterprises, pharmaceutical firms, and government agencies. The news outlet further reports that the breach was “U.S.-focused” and was so sensitive in nature “that only a handful of Deloitte's most senior partners and lawyers were informed.”
Additionally, Deloitte says it has reached out to governmental authorities, initiated a review using both internal and external experts, and implemented a “comprehensive security protocol” in response to the incident.
The actors behind the breach reportedly accessed the Azure cloud service by compromising an administrator's account with unrestricted access to content. Sources told The Guardian that the account required the user to enter only a single password, and did not have “two-step” verification set up – a revelation that drew some sharp criticism.
"Deloitte provides a security consultancy service to enterprise and government clients, which includes recommendations against having administrator accounts without multi-factor authentication. The fact that a Deloitte administrator account was accessible without multi-factor authentication is inexcusable,” said Willis McDonald, threat research manager at Core Security. “To make matters worse, it appears that no one at Deloitte noticed suspicious account activity for months.”
“The first thing cybercriminals do after exploiting a network is to harvest the credentials of super-users” such as administrators, said Tom Kellermann, CEO of Strategic Cyber Ventures, in an email interview with SC Media. “Deloitte should have utilized adaptive authentication to protect [its] admins and executives from these adversaries," he added, predicting that the breach would hurt the Deloitte brand.
In many ways, the Deloitte breach echoes last week's news that the Security and Exchange Commission's document filing database was breached, allowing hackers to access documents that likely helped them engage in insider trading. Experts have noted that by attacking just one organization – the SEC – the culprits were able to accumulate intelligence on many companies in one fell swoop. A similar strategy also be at play in the case of Deloitte.
“Above all, professional hackers want to compromise strategic sites that yield exponential rewards. In a hack of this scale, criminals or spies will continue to reap dividends years down the road,” said Kenneth Geers, senior research scientist at Comodo Group, and an ambassador with NATO's Cooperative Cyber Defence Centre of Excellence.
Calling the lack of 2FA “inexcusable,” Geers said that the attackers, who could easily be a sophisticated cybercriminal group or foreign intelligence service, have had months to “cover their tracks and/or install backdoors for future use… The irony is that Deloitte must have a first-class cybersecurity staff, and yet still was hacked.”
“Deloitte's customers were relaying non-public information, which could have been used to facilitate ‘competitive intelligence,' or front-run the merger or acquisition strategy of the victim, or conduct digital insider trading,” said Kellermann. “Implicit trust is given to companies like Deloitte vis-a-vis their capacity to secure sensitive data, and by breaching an entity like them you can island-hop into her constituency.”
McDonald also believes the breach could have dire consequences for some clients. “Communications from auditing and consultancy tend to highlight the vulnerabilities of an organization from financial to security issues," he said. "With months of access to sensitive communiques, an attacker could have the keys to the kingdom of many large entities."
Ben Johnson, co-founder and CTO of Obsidian Security, said that any organization that stores and manages the sensitive information of other companies is a prime target. "If you are looking for political gain, you will want information won citizens as well as corporations. And if you're after financial gain, then monetizing sensitive personal information, as well as trying to make money off of sensitive proprietary corporate information, will... be in your playbook,” said Johnson, in an interview with SC Media.
Although he agrees Deloitte's reputation could take a hit, Johnson nevertheless thinks the company has a chance to grow from this experience by understanding first-hand the pain that comes from a breach. "If they can take lessons learned and better empathize with their clients, Deloitte can use this to further their position as cyber consultants," said Johnson.