Big Four firm Deloitte had blue-chip clients' usernames, passwords and personal details stolen in a cyberattack that apparently went unnoticed for months.
A Guardian investigation found that hackers were able to access the firm’s global email system and steal information belonging to the world’s biggest banks, multinational companies and government agencies.
The report stated that Deloitte discovered the security breach in March 2017, but attackers may have had access to the firm’s systems as far back as October 2016.
Details of the breach are minimal, but it does appear that the attackers were able to access the system because the firm did not employ two-factor authentication, meaning that the hackers were able to access the global email system by acquiring a single username and password.
The criminals accessed Deloitte’s global email server through an administrator’s account that, according to sources, gave them unrestricted “access all areas”.
The focus of the attack seems to have been on Deloitte’s American operations. So far six of the firm's clients have been informed that their information was “impacted” by the hack.
An estimated five million emails from the firm’s 250,000 workforce are stored in Deloitte’s Azure cloud service, which is provided by Microsoft, although the firm claims that a fraction of that number was at risk.
The hackers’ identity is yet unknown, and Deloitte’s New York office is currently undertaking an internal review into the incident codenamed “Windham”.
Responding to the claims, a Deloitte spokesperson told the Guardian: “In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte”.
While it is too early to tell the full extent of the attack, it is particularly embarrassing as Deloitte provides consultancy services on how to manage the risks posed by cyber-attacks.
The setback is the latest in a series to befall Big Four firms in recent weeks. Last week KPMG found themselves embroiled in political scandal after details emerged about its audits of Gupta-owned firms in South Africa.
Deloitte clients should ‘be on guard’
Oz Alashe, CEO of cyber awareness platform CybSafe, told AccountingWEB that the fact hackers now have details of Deloitte clients’ private emails is certainly cause for concern.
“The loss of these email address details could make it easier for fraudsters to commit ‘spear phishing’ attacks, not just on the Deloitte employees, but also on close family and friends,” said Alashe.
“Spear phishing emails are highly personalised versions of the more common phishing scam. Rather than regular phishing emails – generic emails which are usually sent to masses of people at the same time – spear phishing emails appear much more credible to the intended target by using details from an individual’s personal life.
“Deloitte clients need to be on guard for any suspicious emails and links that are sent to their compromised addresses, and they should extend this warning to other colleagues, family, friends and clients. Spear phishing emails can be exceptionally convincing and even the most tech-savvy need to be cautious.”
“Usernames and passwords have also reportedly been stolen. Needless to say, clients who have been affected need to promptly change their Deloitte passwords. If clients have reused their Deloitte password on other accounts, they should immediately look to change these too.”