Global accountancy firm Deloitte — known as one of the “big four” — has been hit by a sophisticated hack. With echoes of the Equifax data breach and CCleaner hack, the cyberattack went undetected for months and results in confidential emails being accessed, as well as company plans, and the private information of high-profile, blue-chip clients.
Deloitte says that only a small number of its clients have been affected, but the size and importance of those that it deals with — including US government departments — means that even a limited number could have great impact. The firm is said to have discovered the hack in March, but it is possible that attackers gained access as long ago as October 2016.
The Guardian — which first broke the story — says that the attack was focused on the US side of Deloitte’s operations, and data belonging to banks, multinationals, media enterprises, pharmaceutical firms and government agencies was included in the breach. At the moment, Deloitte has only notified six of its clients that they have been “impacted” by the attack, and an investigation is underway.
The data accessed is said to be so sensitive in nature that only Deloitte’s most senior partners and lawyers were informed of the attack. It is thought that as well as emails (complete with sensitive security and design details in attachments), the hackers may have also accessed usernames, passwords, IP addresses, architectural diagrams for businesses and health information.
It is understood that hackers were able to use an administrator account to gain access to the firm’s global email server. Stored on Microsoft’s Azure cloud service, this was not protected with two-factor authentication.
Speaking to the Guardian, a Deloitte spokesman said:
In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilizing a team of cybersecurity and confidentiality experts inside and outside of Deloitte. As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.
Deloitte’s Rosslyn, Virginia offices have been used for the last six months to carry out an investigation using the codename Windham. The firm added:
We remain deeply committed to ensuring that our cybersecurity defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter and take additional steps as required.
Our review enabled us to determine what the hacker did and what information was at risk as a result. That amount is a very small fraction of the amount that has been suggested.
It is not known which government departments have been affected by the attack, and it’s not clear whether this was a state-sponsored hack.