Massive Hack At Deloitte: Entire Internal Email System Compromised, Client Emails Exposed

Tyler Durden's picture

Another day, another major hacking.

The Guardian reports that in the latest corporate cyber breach, one of the world’s “big four” accounting and consultancy firms, Deloitte, was been targeted by a sophisticated hack that "compromised the confidential emails and plans of some of its blue-chip clients." And just like Equifax, New York-headquartered Deloitte was similarly the victim of a cybersecurity attack that went unnoticed for months. The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016.

Responding to questions from the Guardian, Deloitte confirmed it had been the victim of a hack but insisted only a small number of its clients had been “impacted”. It would not be drawn on how many of its clients had data made potentially vulnerable by the breach. Alas, the company has yet to provide a full disclosure of just who and which clients were violated: an estimated 5 million emails were in the hacked email cloud and could have been been accessed by the hackers. Deloitte said the number of emails that were at risk was a fraction of this number but declined to elaborate.

While unlike Equifax Deloite is not a public public company and is not accountable to countless shareholders, with $37 billion in revenue last year and over 263,000 worldwide employees, Deloitte is a corporate behemoth which provides auditing, tax consultancy and - like Equifax - high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.  Here the Guardian reports that Deloitte clients "across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments."

So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.


The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.

Embarrassingly, the administrator level hack required only a single password and did not have “two-step“ verification, much like Deloitte and other companies strongly urge everyone to do.

As the Krebs on Security blog separately notes, "according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system"

The source told KrebsOnSecurity they were coming forward with information about the breach because, “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.


This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.

Penetrating the unknown number of emails involved breaching the Microsoft cloud used the by the company. Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft. This is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.

In addition to emails, the Guardian adds the hackers had "potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details."

Until today's report, the hack had been disclosed to the public: the breach, which was US-focused, was regarded as so sensitive that only a handful of Deloitte’s most senior partners and lawyers were informed.

The team investigating the hack is understood to have been working out of the firm’s offices in Rosslyn, Virginia, where analysts have been reviewing potentially compromised documents for six months.


It has yet to establish whether a lone wolf, business rivals or state-sponsored hackers were responsible.

Translation: while Putin wasn't accused of hacking Equifax, he may yet get the blame this time.

Making this breach even more complicated, it is still unknown what information the hackers acquired: Guardian sources said if the hackers had been unable to cover their tracks, it should be possible to see where they went and what they compromised by regenerating their queries. This kind of reverse-engineering is not foolproof, however.

“In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a spokesman said. “As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.


“The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers. We remain deeply committed to ensuring that our cybersecurity defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter and take additional steps as required."


“Our review enabled us to determine what the hacker did and what information was at risk as a result. That amount is a very small fraction of the amount that has been suggested.”

Deloitte declined to say which government authorities and regulators it had informed, or when, or whether it had contacted law enforcement agencies.

Of course, as noted above, the breach is a deep embarrassment for Deloitte, which offers clients advice on how to manage the risks posed by sophisticated cybersecurity attacks. If only the company had followed its own advice.  Even more awkward, in 2012 Deloitte was ranked the best cybersecurity consultant in the world and has a “CyberIntelligence Centre” to provide clients with “round-the-clock business focussed operational security." It is unclear if that unit was also hacked.

While we await an official statement from Deloitte, what comes next is lots of lawsuits and even more settlements. According to the Guardian, on 27 April Deloitte hired US law firm Hogan Lovells on “special assignment” to review what it called “a possible cybersecurity incident”. The Washington-based firm has been retained to provide “legal advice and assistance to Deloitte LLP, the Deloitte Central Entities and other Deloitte Entities” about the potential fallout from the hack.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
ParkAveFlasher's picture

Gotta love "rankings".


SilverRhino's picture

And boom, those hackers just got internal security configurations and data on a huge percentage of those clients.    

Firewall settings, port scanning details, network diagrams, etc.    

Passwords are also likely to be compromised on everything as well.   [as in I have literally seen Deloitte guys email passwords to each other] 

Someone just got a SHITLOAD of good penetration assistance.  


jcaz's picture

Another music major bites the dust......

SilverRhino's picture

Not even sure he has that.    MAYBE 10 years experience.  


Grab screenshots and a PDF before they scrub this one.


Bigly's picture

LSU, PWC then toilet and douche. Unless he is missing history, around 40ish in age.

Ibam 3 levels from him. Maybe i should send an invite?

Deathrips's picture

I have been telling everyfucking body for years....


The government is accountable and there is no (((foreign))) collution with our lawmakers

The gold is in fort knox

The media is independent

The internet is whats compromising our benevolent governments been investing for us.


Channeling MDB



3.7.77's picture

Nothing on the “Cloud” is secure.

Oh regional Indian's picture

When it rains from the Azure Mist, it Pours!

HenryKissingerZuckerberg's picture

this is not that bad UNLESS they provide tax avoidance consultance services...

HenryKissingerZuckerberg's picture

Guardian sources said if the hackers had been unable to cover their tracks, it should be possible to see where they went and what they compromised by regenerating their queries. This kind of reverse-engineering is not foolproof, however.

There is PLENTY of documentation on how CIAVault 7/NSA and Unit8200 friends DO plant tracks to make it look as if other hacker groups did it (Russia/Iran, etc) 

sebmurray's picture

Hillarious how an auditing firm seems to never have come across the idea of encrypting data at rest. Especially when its resting in Microsoft's cloud. 

california chrome's picture

This Microsoft PowerPoint presentation "Into the cybersecurity breach" by CIO of Deloitte hasn't been taken down yet.

Apparently Sanouvong provided State Sector Cyber Risk Services.

The hackers had a field day with state security information.


Bigly's picture

No joke. Here it comes.

So many outsourced IT depts. and the execs have no idea how much they are actually exposed. Anything to squeeze a nickel out of the bottom line comes back to bite them in the ass.


The ones that hurt the most or are the potentially worst, so far:

Blue Cross



Credit card #s like target and home depot...meh.

When they have your mother's maiden name, ssn, dob, address, relatives, emergency contact, medical history, email AND scanned drivers license, you are screwed.

z530's picture

Good thing each breach gives you a year of free protection. I'm sure the hackers will NEVER use SSN info after the year is up.

Bigly's picture

I went to the doctor today and they wanted to scan my insurance card and license. I gave her prove i am me but told her she could not scan my license. Give the Blue cross hack as an excuse...or none...or whatever. Stop handing over shit. QUESTION.

She gave me my license back, not scanned.


SilverRhino's picture

I do the same thing now with my son's school.   

They wanted a copy of my license.   

I asked for the Information Security handling policies.    Needless to say they got huffy when I refused to let it out of my hand.    

Stop handing that data to complete strangers. 

HenryKissingerZuckerberg's picture

I asked for the Information Security handling policies:

does your low wage fiverr chief information security officer work from

a India?
b China?
c Pakistan?
d Russia?
e brainfarted

Sanity Bear's picture

Deloitte Consulting: over 20,000 H1B applications from 2014-2016, almost all went through.

Master Toms Dog's picture

Let me get this straight:  this is one of the best cybersecurity consulting companies in the world.  And the best in 2012.

We are so screwed.

natxlaw's picture

And we get to find out AFTER the closing bell.

Sanity Bear's picture

that was your turn


Omen IV's picture

all good -  third parties now have opportunity for whistleblower disclosure of compromised financials by an auditor conspiracy with client  big $$$$$

BlindMonkey's picture

This has the potential to get medival.  Let the blame games begin!!

SilverRhino's picture

What exactly do you mean by that?  Curious.  Thx.

GUS100CORRINA's picture

Massive Hack At Deloitte: Entire Internal Email System Compromised, Client Emails Exposed

My respoinse: Security is getting to be a serious business ... first equifax and now these guys.

Ransom business is alive an well.

overbet's picture

 I have Wells number in my phone contacts. I got a phone call last night from Wells Fargo fraud asking me if I changed my user id or pw in the last hour. I told them no. They replied that they recommend freezing the account until I can get to a comptuer and change the credentials and check the activity because they flagged suspcious activity and attempts to change my credentials were made. I said ok, but I am going to call you back because all of the scams going around. He said of course, "I am calling you from 1866xxxx wells fargo fraud department number, my name is Juan and my badge number is blah blah blah. Do I have your permission to send you a text now with a security code?" Sure. "Ok I sent it, read the code back to me so I can lock the account then call us right back."

He was calling from Wells number and sent a text from wells number. I was taking care of the kid and slightly distracted at the time so I read the code back to him without really thinking it through. He then replied Mr Overbet, you are right about all of the scams going around and I just took $2500 from you thanks bitch and hung up. 

WhackoWarner's picture

silly you.  I never ever ever ever allow any of this type of communication.

Live and learn I guess but my tin foil hat has served well for decades.


Silly you.  So willing to trust...check it out and think you are safe...feel good and sell the farm for pennies.  But call me a tin foil anarchist for years.


Wake up USA USA all your equipment is meant to spy.  And cannot blame the hordes for laughing at you.  Built in back doors?  Because of false flag threats?


Threats are your monopolies kiddo.



WhackoWarner's picture

C'mon overbet.  You have been hanging around here long enough to be careful.


$2500?  you were actually lucky; as in slap on stupidity lucky.  Cheers and wish you well.  Guess you will never do that again.  You fell for it.  Was very easy not to just by donning your doubting hat.

By the way it is no joke...that Smart Meter is not only making you slowly ill but it is data mining your info.  That Smart Meter on your home will be hacked lickedly split when targeted.  That is your data.  And the grid.

Ain't we so glad we embraced Smart Meters?  Backdoor into every home everywhere. 

WhackoWarner's picture

Every single person here should read up on the "Smart Grid".  Data mining being more valuable than the electricity sold.  The health effects and fact it all comes down with a hack.

Smart grid is a crime.

Bigly's picture

Since they swapped me out without my fact it was in my file i opposed it, i am thinking of getting one of those faraday cages to put on it and take ig off on the day they read the monthly.


Or should i switch back to analog on ny own and have it risked that they turn me off.


overbet's picture

I am not easily fooled especially by somehting like this, but the guy was good.

When I was a kid I had a job as a telemarketer selling accidental death and dismemberment insurance. They gave us rebuttle books with tabs to overcome different rebuttles. This guy not only had a good rebuttle book, he had it memorized and performed flawlessly. In hindsight, had I not been preoccupied at the time, I dont think I would have fallen for it, but youre right it wont happen again.

The worst part is that I am aware of the phone number spoofing trick because I used it on my buddy. I typed a message on the computer that has a bot read what you typed so it sounds like a recording. I then called my buddy when I knew he couldnt answer and spoofed the IRS number. Had the bot read a message that we were auditing him and mentioned freezing his accounts. He freaked the fuck out. 

Anyway, figured Id post the experience. Maybe save someone the trouble of opening a new account and re-doing all the auto billy pay bullshit. 

MANvsMACHINE's picture

Are you saying that you gave him the 2FA code?

Scuba Steve's picture

No, he gave the ID10T code ...

King of Ruperts Land's picture

The hack I am waiting for drastically cuts down on my metered power usage.

Winston Churchill's picture

I had an email from Barclays International  CI about security today.

In it, they reiterated that Barclays would never send emails to account holders.

No, I didn't click the  link.

Sanity Bear's picture

When bureaucracies meet the kind of competence challenges where what is true and false actually matters, it gets ugly and weird in a hurry.

WhackoWarner's picture

sorry guy.  really.

But having hung around here for many years I need to assume you read some warnings.

I never give any information out.  I ask for a call back number that I can verify.  ONLY then.  Done it for years.

Hackers are more targeted daily and more elegant in the approach.  NEVER trust anything over the phone asking for any personal information......period. EVER.


The robbers are adapting and getting more chatty.  Never trust any OS or any security software.  Only thing I trust is my landline phone.......give me a verifiable phone number and then we can talk; maybe.

Father ¢hristmas's picture

Time to convert all your assets into silver and move into a storage unit.

Glassport's picture

I must be the gullible sort, but how did you reading back a code allow him into your account?

WhackoWarner's picture

Only a matter of time before all those 'SMART METERS" are taken down.


Which idiot here or anywhere accepted these insecure, unknown, spying devices as some freebie upgrade gift from an ultility?  Bet every single cyber security expert on this site has one.

Bet every single expert here has a Stupid Meter.  How will that work out for you?

z530's picture

Not sure about anyone else but I was given ZERO chioce with the smart meter. I'd love to see it ripped out.

JohninMK's picture

They are rolling them out in the UK and at least we do have the option to say no.

Bigly's picture

Yes. Me three. See my comment above.

There is a gadget that can cover it and block the waves however. They will ssy it is for their convenience. I will take it off on the day the guy goes on my street. That assumes they will tell me.

The meter is one foot from the kitchen table on the outside. A concern ight there.




Yes We Can. But Lets Not.'s picture

I had hung a sign over my meter saying 'do not replace' and gave my phone # to call.  Assholes put a smart meter in anyways.