Massive Hack At Deloitte: Entire Internal Email System Compromised, Client Emails Exposed

Another day, another major hacking.

The Guardian reports that in the latest corporate cyber breach, one of the world’s “big four” accounting and consultancy firms, Deloitte, was been targeted by a sophisticated hack that "compromised the confidential emails and plans of some of its blue-chip clients." And just like Equifax, New York-headquartered Deloitte was similarly the victim of a cybersecurity attack that went unnoticed for months. The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016.

Responding to questions from the Guardian, Deloitte confirmed it had been the victim of a hack but insisted only a small number of its clients had been “impacted”. It would not be drawn on how many of its clients had data made potentially vulnerable by the breach. Alas, the company has yet to provide a full disclosure of just who and which clients were violated: an estimated 5 million emails were in the hacked email cloud and could have been been accessed by the hackers. Deloitte said the number of emails that were at risk was a fraction of this number but declined to elaborate.

While unlike Equifax Deloite is not a public public company and is not accountable to countless shareholders, with $37 billion in revenue last year and over 263,000 worldwide employees, Deloitte is a corporate behemoth which provides auditing, tax consultancy and - like Equifax - high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.  Here the Guardian reports that Deloitte clients "across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments."

So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.

 

The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.

Embarrassingly, the administrator level hack required only a single password and did not have “two-step“ verification, much like Deloitte and other companies strongly urge everyone to do.

As the Krebs on Security blog separately notes, "according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system"

The source told KrebsOnSecurity they were coming forward with information about the breach because, “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.

 

This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.

Penetrating the unknown number of emails involved breaching the Microsoft cloud used the by the company. Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft. This is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.

In addition to emails, the Guardian adds the hackers had "potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details."

Until today's report, the hack had been disclosed to the public: the breach, which was US-focused, was regarded as so sensitive that only a handful of Deloitte’s most senior partners and lawyers were informed.

The team investigating the hack is understood to have been working out of the firm’s offices in Rosslyn, Virginia, where analysts have been reviewing potentially compromised documents for six months.

 

It has yet to establish whether a lone wolf, business rivals or state-sponsored hackers were responsible.

Translation: while Putin wasn't accused of hacking Equifax, he may yet get the blame this time.

Making this breach even more complicated, it is still unknown what information the hackers acquired: Guardian sources said if the hackers had been unable to cover their tracks, it should be possible to see where they went and what they compromised by regenerating their queries. This kind of reverse-engineering is not foolproof, however.

“In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a spokesman said. “As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.

 

“The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers. We remain deeply committed to ensuring that our cybersecurity defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter and take additional steps as required."

 

“Our review enabled us to determine what the hacker did and what information was at risk as a result. That amount is a very small fraction of the amount that has been suggested.”

Deloitte declined to say which government authorities and regulators it had informed, or when, or whether it had contacted law enforcement agencies.

Of course, as noted above, the breach is a deep embarrassment for Deloitte, which offers clients advice on how to manage the risks posed by sophisticated cybersecurity attacks. If only the company had followed its own advice.  Even more awkward, in 2012 Deloitte was ranked the best cybersecurity consultant in the world and has a “CyberIntelligence Centre” to provide clients with “round-the-clock business focussed operational security." It is unclear if that unit was also hacked.

While we await an official statement from Deloitte, what comes next is lots of lawsuits and even more settlements. According to the Guardian, on 27 April Deloitte hired US law firm Hogan Lovells on “special assignment” to review what it called “a possible cybersecurity incident”. The Washington-based firm has been retained to provide “legal advice and assistance to Deloitte LLP, the Deloitte Central Entities and other Deloitte Entities” about the potential fallout from the hack.