Deloitte breach tied to lack of multifactor authentication for admin account
A cyberattack on Deloitte, one of the world’s “big four” accounting firms, may have compromised private emails and plans of some of the company’s blue-chip clients, according to an exclusive report by Guardian.
The hackers were able to get into the network by cracking the password on an admin account that didn’t require a two-step authentication. That access provided the cybercriminals with unrestricted access to all areas and privileged data.
The staff emails were stored in the Azure cloud service, a Microsoft service.
In addition to emails, hackers could have potentially accessed architectural diagrams for businesses and health information. Some emails also had attachments with sensitive security and design details. The hackers only focused on the United States.
“The attacker accessed data from an email platform. The review of that platform is complete,” a Deloitte official said in an emailed statement. “The review enabled us to understand precisely what information was at risk and what the hacker actually did.”
We determined “no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers,” officials added.
The report continued to say that the information was so sensitive that only some of Deloitte’s most senior partners and lawyers were notified of the event.
Deloitte confirmed the attack on Monday, but said only a small number of clients were impacted and did not provide further details on the breach.
However, sources told security expert Brian Krebs the breach goes back to 2016 and compromised all administrator accounts and the entire internal email system. Hackers were able to obtain usernames, passwords and personal data of Deloitte’s top blue-chip clients.
Clients from all sectors had material in these breached accounts, and the companies included both U.S. government departments and household names, according to Guardian.
A source told Krebs that Deloitte is still investigating when the intrusion first began -- and for how long they were in the system. The primary focus is a Nashville company office, where the breach is thought to have started. Estimates put the breach in September 2016. The same source said the company is unsure if the hackers have been fully evicted from the system.
Forensic investigators found several gigabytes of data being exfiltrated to a U.K. server, according to the source. The source implied the company doesn’t know how the amount of data taken. The Guardian reported that Deloitte notified only six clients.
Deloitte sent all U.S. employees a mandatory password reset in Oct. 2016, telling employees that both passwords and personal identification numbers needed to be changed immediately. Failure to do so, would prohibit access to email or other Deloitte accounts, according to the source.
The same message advised employees on how to choose complex passwords.
The source told Krebs: “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”
Cyber Intel is Deloitte’s Cyber Intelligence Centre, touted as a business-focused operational security center that provides major companies with continuous protection -- including St. Joseph’s Healthcare System and FedEx. The company has a serious cybersecurity presence, advising many clients on how best to secure systems.
“Deloitte remains deeply committed to ensuring that its cyber-security defenses are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security,” officials said.
Deloitte is “implementing its comprehensive security protocol and initiating an intensive and thorough review which included mobilizing a team of cyber-security and confidentiality experts inside and outside of Deloitte,” officials added. The company contacted government authorities immediately after discovering the incident.
News of Deloitte’s breach comes on the heels of two other major breaches this month.
The U.S. Securities and Exchange Commission admitted that a 2016 breach of its system may have allowed hackers to make a profit off of illegal trading. And Equifax reported a breach on Sept. 7 that impacted 143 million records and has been marred with a number of serious missteps.