Global Weekly Executive Summary, 29 SEPT 2017

Deloitte Data Breach

Multinational accounting and auditing firm Deloitte was the victim of a major cyberattack that lead to unauthorized access to the company’s internal email systems. Staff and client data was stolen, including usernames, passwords, IP addresses, business diagrams, and health information and email “attachments with sensitive security and design details.”

When did it happen?

Deloitte says they discovered the breach in March 2017, but several articles claim the company’s email servers may have been compromised as early as October 2016 when the company sent out a mandatory password reset email.

Who is Deloitte?

Deloitte, a multinational professional services firm with headquarters in London and New York City, is known as one of the “Big Four” professional services companies in the world. According to Deloitte’s American website, they offer the following services: tax, mergers/acquisitions, growth enterprise services, analytics, audit/assurance, consulting, and financial and risk advisory. Their risk advisory services include cyber risk advising and a CyberIntelligence Centre that monitors and assesses for threats and handles incident response.

Who was affected?

According to The Guardian, Deloitte clients include “some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and governmental agencies.”

A Deloitte spokesman said, “As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.” In fact, six unidentified Deloitte clients were notified. The spokesman described the number of emails at risk as a fraction of the 5 million emails estimated to be stored in the Azure cloud service.

An insider source cited by security researcher Brian Krebs in his article says the breach is likely more far-reaching than reported by Deloitte. The source states that the entire internal database and all administrator accounts were compromised. “This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.”

How did this happen?

Deloitte’s global email server was compromised though an administrator’s account which was secured by a password but did not use two-factor authentication. Two-factor authentication could have prevented the breach or notified the account owner of unauthorized access. Multi-factor authentication is available for Azure administrator accounts at no additional cost, according to Microsoft Azure’s Multi-Factor Authentication webpage.

According to the Guardian article, “Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft… In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details.”

Who did it?

Unknown.

The perpetrators and the extent of the breach are still unknown or have not been reported to the general public. Investigations are ongoing and have been in process for six month, since the breach was discovered in March 2017.

No group has claimed responsibility, but the motive is likely information/intelligence gathering for a threat group’s own use or for financial gain.

Why is this breach significant?

Deloitte, as one of the “Big Four,” has a client list that includes some of the largest, most well-known, and powerful companies in the world. This client list is made up of organizations with household name recognition but also includes US governmental departments.

A data breach that affects Deloitte also affects their many high-profile clients, but the breach was not announced until six months after it was discovered. Deloitte finally publicly confirmed the data breach after an article was published in The Guardian.

The type of information stolen was also important. Usernames and passwords were stolen, but health information, security details, and intellectual property like design details and diagrams were also taken.

This breach is also significant because Deloitte provides cyber risk assessment and advisory services to their powerful clients, but their own staff did not follow basic security measures such as requiring two-factor authentication and keeping large amounts of data in one location with insufficient security. As a result of this negligence, sensitive client data was entrusted to Deloitte was stolen.

Sources:

Deloitte, Services

The Guardian, Deloitte hit by cyber-attack revealing clients’ secret emails

CNET, Deloitte hacked, compromising its clients’ emails

Krebs on Security, Source: Deloitte Breach Affected All Company Email, Admin Accounts

Malwarebytes, Deloitte breached by hackers for months

Fortune, Deloitte Gets Hacked: What We Know So Far

Microsoft Azure, Multi-Factor Authentication