Deloitte hit by major client email hack

Tom Herbert
Acting Editor
AccountingWEB
Share this content
Tags

Big Four firm Deloitte had blue-chip clients' usernames, passwords and personal details stolen in a cyberattack that apparently went unnoticed for months.

A Guardian investigation found that hackers were able to access the firm’s global email system and steal information belonging to the world’s biggest banks, multinational companies and government agencies.

The report stated that Deloitte discovered the security breach in March 2017, but attackers may have had access to the firm’s systems as far back as October 2016.

Details of the breach are minimal, but it does appear that the attackers were able to access the system because the firm did not employ two-factor authentication, meaning that the hackers were able to access the global email system by acquiring a single username and password.

The criminals accessed Deloitte’s global email server through an administrator’s account that, according to sources, gave them unrestricted “access all areas”.

The focus of the attack seems to have been on Deloitte’s American operations. So far six of the firm's clients have been informed that their information was “impacted” by the hack.

An estimated five million emails from the firm’s 250,000 workforce are stored in Deloitte’s Azure cloud service, which is provided by Microsoft, although the firm claims that a fraction of that number was at risk.

The hackers’ identity is yet unknown, and Deloitte’s New York office is currently undertaking an internal review into the incident codenamed “Windham”.

'Cyber incident'

Responding to the claims, a Deloitte spokesperson told the Guardian: “In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte”.

While it is too early to tell the full extent of the attack, it is particularly embarrassing as Deloitte provides consultancy services on how to manage the risks posed by cyber-attacks.

The setback is the latest in a series to befall Big Four firms in recent weeks. Last week KPMG found themselves embroiled in political scandal after details emerged about its audits of Gupta-owned firms in South Africa.

Deloitte clients should ‘be on guard’

Oz Alashe, CEO of cyber awareness platform CybSafe, told AccountingWEB that the fact hackers now have details of Deloitte clients’ private emails is certainly cause for concern.

 “The loss of these email address details could make it easier for fraudsters to commit ‘spear phishing’ attacks, not just on the Deloitte employees, but also on close family and friends,” said Alashe.

“Spear phishing emails are highly personalised versions of the more common phishing scam. Rather than regular phishing emails – generic emails which are usually sent to masses of people at the same time – spear phishing emails appear much more credible to the intended target by using details from an individual’s personal life.

“Deloitte clients need to be on guard for any suspicious emails and links that are sent to their compromised addresses, and they should extend this warning to other colleagues, family, friends and clients. Spear phishing emails can be exceptionally convincing and even the most tech-savvy need to be cautious.”

“Usernames and passwords have also reportedly been stolen. Needless to say, clients who have been affected need to promptly change their Deloitte passwords. If clients have reused their Deloitte password on other accounts, they should immediately look to change these too.”

About TomHerbert

About TomHerbert

Tom is acting editor at AccountingWEB, responsible for all editorial content on the site. If you have any comments or suggestions for us get in touch.

Replies

Please login or register to join the discussion.

26th Sep 2017 12:03

It will be very embarrassing for them as they also provide security consultancy services to other companies. Having said that the team that run the internal security infrastructure will likely have nothing to do with the group that work with clients.

My understanding based on reading other reports is access was obtained to "admin" level accounts which is bad. Then you have the keys to the kingdom. Whether than means "admin" at the operating system level e.g. root on Unix I don't know. No system should allow admin/root level access via public interfaces, nor should is allow elevation to root privilege e.g. su root/sudo except under very specific control.

Ah just reread the article and they use Azure from Microsoft so I guess they have MS based internal O/S infrastructure. However same rules apply.

We may never know how this breach happened.

Thanks (1)
avatar
27th Sep 2017 09:53

"clients' usernames, passwords and personal details stolen"

Is that plain text paswords?

Or hashed passwords?

Makes a big difference! A plain text password is only stored by numpty sys admins. Whereas, a hashed password using modern methods (like PBKDF2) cannot be deciphered. The question that needs to be asked is "how does Deloitte hash the passwords"?

Thanks (0)
avatar
27th Sep 2017 10:42

Perhaps this site could be of assistance ?

www.hydrogardplc.com

Thanks (0)
27th Sep 2017 13:58

Unlikely to be clear text but you never know.

One problem with big companies with lots of accounts is that older accounts get left behind on old digest cryptography as there is no easy way to upgrade e.g. changing hashed passwords from SHA1 to SHA256. Yes you can force a password change but some companies are too lazy to even do that.

Also other data which might identify you that is located in application databases should also be encrypted e.g. email addresses, business addresses, NINs. People often use the same password at different places so that password might be combined with an email in some other hack dump (Ashley Madison anyone ?) in which case that hashed password can be deciphered.

Just reading about another big hack (not accountancy related) - https://krebsonsecurity.com/2017/09/breach-at-sonic-drive-in-may-have-im...

EDIT it gets worse for Deloitte https://www.theregister.co.uk/2017/09/26/deloitte_leak_github_and_google/

Thanks (0)