Massive Hack At Deloitte: Entire Internal Email System Compromised, Client Emails Exposed

Another day, another major hacking.

The Guardian reports that in the latest corporate cyber breach, one of the world’s “big four” accounting and consultancy firms, Deloitte, was been targeted by a sophisticated hack that "compromised the confidential emails and plans of some of its blue-chip clients." And just like Equifax, New York-headquartered Deloitte was similarly the victim of a cybersecurity attack that went unnoticed for months. The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016.

Responding to questions from the Guardian, Deloitte confirmed it had been the victim of a hack but insisted only a small number of its clients had been “impacted”. It would not be drawn on how many of its clients had data made potentially vulnerable by the breach. Alas, the company has yet to provide a full disclosure of just who and which clients were violated: an estimated 5 million emails were in the hacked email cloud and could have been been accessed by the hackers. Deloitte said the number of emails that were at risk was a fraction of this number but declined to elaborate.

While unlike Equifax Deloite is not a public public company and is not accountable to countless shareholders, with $37 billion in revenue last year and over 263,000 worldwide employees, Deloitte is a corporate behemoth which provides auditing, tax consultancy and - like Equifax - high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.  Here the Guardian reports that Deloitte clients "across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments."

So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.

 

The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.

Embarrassingly, the administrator level hack required only a single password and did not have “two-step“ verification, much like Deloitte and other companies strongly urge everyone to do.

As the Krebs on Security blog separately notes, "according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system"

The source told KrebsOnSecurity they were coming forward with information about the breach because, “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.

 

This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.

Penetrating the unknown number of emails involved breaching the Microsoft cloud used the by the company. Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft. This is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.

In addition to emails, the Guardian adds the hackers had "potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details."

Until today's report, the hack had been disclosed to the public: the breach, which was US-focused, was regarded as so sensitive that only a handful of Deloitte’s most senior partners and lawyers were informed.

The team investigating the hack is understood to have been working out of the firm’s offices in Rosslyn, Virginia, where analysts have been reviewing potentially compromised documents for six months.

 

It has yet to establish whether a lone wolf, business rivals or state-sponsored hackers were responsible.

Translation: while Putin wasn't accused of hacking Equifax, he may yet get the blame this time.

Making this breach even more complicated, it is still unknown what information the hackers acquired: Guardian sources said if the hackers had been unable to cover their tracks, it should be possible to see where they went and what they compromised by regenerating their queries. This kind of reverse-engineering is not foolproof, however.

“In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a spokesman said. “As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.

 

“The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers. We remain deeply committed to ensuring that our cybersecurity defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter and take additional steps as required."

 

“Our review enabled us to determine what the hacker did and what information was at risk as a result. That amount is a very small fraction of the amount that has been suggested.”

Deloitte declined to say which government authorities and regulators it had informed, or when, or whether it had contacted law enforcement agencies.

Of course, as noted above, the breach is a deep embarrassment for Deloitte, which offers clients advice on how to manage the risks posed by sophisticated cybersecurity attacks. If only the company had followed its own advice.  Even more awkward, in 2012 Deloitte was ranked the best cybersecurity consultant in the world and has a “CyberIntelligence Centre” to provide clients with “round-the-clock business focussed operational security." It is unclear if that unit was also hacked.

While we await an official statement from Deloitte, what comes next is lots of lawsuits and even more settlements. According to the Guardian, on 27 April Deloitte hired US law firm Hogan Lovells on “special assignment” to review what it called “a possible cybersecurity incident”. The Washington-based firm has been retained to provide “legal advice and assistance to Deloitte LLP, the Deloitte Central Entities and other Deloitte Entities” about the potential fallout from the hack.

Comments

SilverRhino ParkAveFlasher Mon, 09/25/2017 - 17:19 Permalink

And boom, those hackers just got internal security configurations and data on a huge percentage of those clients.    Firewall settings, port scanning details, network diagrams, etc.    Passwords are also likely to be compromised on everything as well.   [as in I have literally seen Deloitte guys email passwords to each other] Someone just got a SHITLOAD of good penetration assistance.   

In reply to by ParkAveFlasher

Deathrips Bigly Mon, 09/25/2017 - 19:26 Permalink

I have been telling everyfucking body for years.... The government is accountable and there is no (((foreign))) collution with our lawmakersThe gold is in fort knoxThe media is independentThe internet is whats compromising our benevolent governments been investing for us. Channeling MDB RIPS

In reply to by Bigly

HenryKissinger… HenryKissinger… Tue, 09/26/2017 - 02:55 Permalink

Guardian sources said if the hackers had been unable to cover their tracks, it should be possible to see where they went and what they compromised by regenerating their queries. This kind of reverse-engineering is not foolproof, however.There is PLENTY of documentation on how CIAVault 7/NSA and Unit8200 friends DO plant tracks to make it look as if other hacker groups did it (Russia/Iran, etc) 

In reply to by HenryKissinger…

Bigly SilverRhino Mon, 09/25/2017 - 18:05 Permalink

No joke. Here it comes.So many outsourced IT depts. and the execs have no idea how much they are actually exposed. Anything to squeeze a nickel out of the bottom line comes back to bite them in the ass. The ones that hurt the most or are the potentially worst, so far:Blue CrossEquifax Credit card #s like target and home depot...meh.When they have your mother's maiden name, ssn, dob, address, relatives, emergency contact, medical history, email AND scanned drivers license, you are screwed.

In reply to by SilverRhino

Bigly z530 Mon, 09/25/2017 - 19:33 Permalink

I went to the doctor today and they wanted to scan my insurance card and license. I gave her both...to prove i am me but told her she could not scan my license. Give the Blue cross hack as an excuse...or none...or whatever. Stop handing over shit. QUESTION.She gave me my license back, not scanned.RESIST, REFUSE, BOYCOTT.

In reply to by z530

GUS100CORRINA Mon, 09/25/2017 - 16:59 Permalink

Massive Hack At Deloitte: Entire Internal Email System Compromised, Client Emails ExposedMy respoinse: Security is getting to be a serious business ... first equifax and now these guys.Ransom business is alive an well.

overbet GUS100CORRINA Mon, 09/25/2017 - 17:21 Permalink

 I have Wells number in my phone contacts. I got a phone call last night from Wells Fargo fraud asking me if I changed my user id or pw in the last hour. I told them no. They replied that they recommend freezing the account until I can get to a comptuer and change the credentials and check the activity because they flagged suspcious activity and attempts to change my credentials were made. I said ok, but I am going to call you back because all of the scams going around. He said of course, "I am calling you from 1866xxxx wells fargo fraud department number, my name is Juan and my badge number is blah blah blah. Do I have your permission to send you a text now with a security code?" Sure. "Ok I sent it, read the code back to me so I can lock the account then call us right back."He was calling from Wells number and sent a text from wells number. I was taking care of the kid and slightly distracted at the time so I read the code back to him without really thinking it through. He then replied Mr Overbet, you are right about all of the scams going around and I just took $2500 from you thanks bitch and hung up. 

In reply to by GUS100CORRINA

WhackoWarner overbet Mon, 09/25/2017 - 17:37 Permalink

silly you.  I never ever ever ever allow any of this type of communication.Live and learn I guess but my tin foil hat has served well for decades. Silly you.  So willing to trust...check it out and think you are safe...feel good and sell the farm for pennies.  But call me a tin foil anarchist for years. Wake up USA USA all your equipment is meant to spy.  And cannot blame the hordes for laughing at you.  Built in back doors?  Because of false flag threats? Threats are your monopolies kiddo.  

In reply to by overbet

WhackoWarner overbet Mon, 09/25/2017 - 17:43 Permalink

C'mon overbet.  You have been hanging around here long enough to be careful. $2500?  you were actually lucky; as in slap on stupidity lucky.  Cheers and wish you well.  Guess you will never do that again.  You fell for it.  Was very easy not to just by donning your doubting hat.By the way it is no joke...that Smart Meter is not only making you slowly ill but it is data mining your info.  That Smart Meter on your home will be hacked lickedly split when targeted.  That is your data.  And the grid.Ain't we so glad we embraced Smart Meters?  Backdoor into every home everywhere. 

In reply to by overbet

overbet WhackoWarner Mon, 09/25/2017 - 18:04 Permalink

I am not easily fooled especially by somehting like this, but the guy was good.When I was a kid I had a job as a telemarketer selling accidental death and dismemberment insurance. They gave us rebuttle books with tabs to overcome different rebuttles. This guy not only had a good rebuttle book, he had it memorized and performed flawlessly. In hindsight, had I not been preoccupied at the time, I dont think I would have fallen for it, but youre right it wont happen again.The worst part is that I am aware of the phone number spoofing trick because I used it on my buddy. I typed a message on the computer that has a bot read what you typed so it sounds like a recording. I then called my buddy when I knew he couldnt answer and spoofed the IRS number. Had the bot read a message that we were auditing him and mentioned freezing his accounts. He freaked the fuck out. Anyway, figured Id post the experience. Maybe save someone the trouble of opening a new account and re-doing all the auto billy pay bullshit. 

In reply to by WhackoWarner

WhackoWarner overbet Mon, 09/25/2017 - 17:54 Permalink

sorry guy.  really.But having hung around here for many years I need to assume you read some warnings.I never give any information out.  I ask for a call back number that I can verify.  ONLY then.  Done it for years.Hackers are more targeted daily and more elegant in the approach.  NEVER trust anything over the phone asking for any personal information......period. EVER. The robbers are adapting and getting more chatty.  Never trust any OS or any security software.  Only thing I trust is my landline phone.......give me a verifiable phone number and then we can talk; maybe.

In reply to by overbet

Bigly JohninMK Mon, 09/25/2017 - 22:35 Permalink

Yes. Me three. See my comment above.There is a gadget that can cover it and block the waves however. They will ssy it is for their convenience. I will take it off on the day the guy goes on my street. That assumes they will tell me.The meter is one foot from the kitchen table on the outside. A concern ight there.EVERSOURCE, YOU SUCK. Thoughts?

In reply to by JohninMK