A security breach at Deloitte, a major accounting and consulting firm, may be much more serious than the company admits. Deloitte previously said on Sept. 25 that “very few clients” had been affected by a hack into its email platform, which began in fall 2016 and was uncovered in March 2017. The company has claimed that, after an internal review, only six clients were found to have been compromised.
Yet the Guardian reported Tuesday, based on information from anonymous sources, that the affected server housed emails exchanged with about 350 clients, many of them high-profile. That group includes the U.S. departments of defense, state, energy, and homeland security, along with the National Institutes of Health, the U.S. Postal Service, and major companies like Fannie Mae and Freddie Mac. The server also contained emails to or from unnamed global banks, airlines, car manufacturers, energy companies, and pharmaceutical manufacturers.
Deloitte told the Guardian that “the number of email messages targeted by the attacker was a small fraction of those stored on the platform.” But the Guardian’s sources retorted that the firm cannot be completely sure what data the hackers accessed. It could have included email attachments with confidential security and design materials, as well as log-in information, IP addresses, and health data.
The breach occurred when Deloitte was transitioning its email service to Microsoft Office 365, during which time hackers infiltrated an administrator’s account, giving them access to the email database. The firm had not established multifactor authentication (like using an authenticator app or getting a verification code via text message) for emails as a standard at that point, though the company has done so over the past months in light of the cyberattack.
Deloitte responded to the Guardian with a statement:
We dispute in the strongest terms that Deloitte is “downplaying” the breach. We take any attack on our systems very seriously. We are confident that we know what information was targeted and what the hacker actually did. Very few clients were impacted, although we want to stress that even when one client is impacted, that is one client too many. We have concluded that the attacker is no longer in Deloitte’s systems and haven’t seen any signs of any subsequent activities. Our review determined what the hacker actually did. The attacker accessed data from an email platform. The review of that platform is complete.
One expert told Silicon Republic that the information exposed at Deloitte could help cyber swindlers craft spear phishing emails, which are personalized to seem believable to certain targets, making it more likely that they will divulge private information. It was also reported on Tuesday that Accenture, another big consulting firm, inadvertently left a wealth of private client information unsecured on four servers, allowing virtually anyone to download the data. The good news is that this lapse was uncovered by a researcher, not (as far as we know) a bad actor. Accenture told the Hill, “There was no risk to any of our clients—no active credentials, [personally identifiable information] or other sensitive information was compromised.”
