News came out today September 25, 2017 that Deloitte was hacked and had a huge cyber attack.
Now the news was just released by the Guardian. It seems that the Guardian had a few inside sources that provided them with this information.
Ideally, Deloitte would have released this information themselves but it appears that they’ve been sitting on the information for quite some time since the attack was first noticed in March 2017.
Now let’s get down to the details of the hack. The guardian said that the hackers were probably in Deloitte’s systems since October 2016 to March of 2017. That means that hackers were in Deloitte’s systems for just about 6 months. As you may know, Deloitte services something like 80% of the Fortune 500. That’s just about every major company in the world.
At this time Deloitte is saying that very few clients were impacted by this breach, but the Guardian says otherwise. The Guardian says that their sources say that there have been about 6 clients that have been impacted and notified to date, but there could potentially be more as the investigation is still ongoing.
How Did the Hackers Get Into Deloitte’s Systems?
So how did the hackers get in and what did they do. Well the hackers got in through Deloitte’s emails server through an administrator account. Having access to this administrator account gave these hackers unrestricted access to Deloitte’s systems which is completely insane to me. It is believed they gained easy access to the email server because of a lack of security. The server only required a one step password to gain administrator access. There should have been at least a two step process to gain administrator access and prevent this kind of breach.
It is also believed that some Deloitte contractors posted their passwords onto their personal Google plus pages for other contractors to see. These pages were left up and essentially left a back door open for the hackers to gain access.
There appears to be multiple ways that the hackers gained access to Deloitte’s systems.
Deloitte’s Cloudy Email to Blame?
Another thing that makes this worse is that Deloitte’s systems were in the cloud. More specifically they were on a Microsoft Azure platform. I think this is bad for Deloitte and Microsoft. Deloitte looked real smart as they are one of the first big 4 to take their email to the cloud, but now it looks like a terrible idea in light of this breach. This looks bad for Microsoft because now clients will be wondering whether they should trust Microsoft’s cloud service. The other big 4 I don’t believe are in the cloud with their email at this point.
Additionally it is believed that hackers gained access to other valuable information such as usernames, passwords, IP addresses and health information. This is also includes sensitive business information that was likely embedded in all of these emails
Why the long delay?
So why is there a huge delay from when they figured this out until now when the news came out. Well Deloitte wanted to keep this secret as they investigated what happened. They even established a code name for the project called Windham. This involved specialists trying to map out all the areas that were impacted. I believe the investigation is still ongoing. Another thing that came out of this investigation is that Deloitte hired a law firm, Hogan Lovells in Washington DC, after they found out they were hacked. I’m sure this measure was to help protect them once the lawsuits started rolling in. They also need to assess the financial damage that will be implicated from this for insurance purposes. They not only have to estimate how much they will be sued for but also how much business they will lose for their insurance claim. You have to remember it’s the Guardian that released this information about Deloitte. It wasn’t Deloitte themselves in a press release. I’m sure it will only take a matter of days for dozens of lawsuits to be filed against Deloitte. Those lawsuits will show how Deloitte could have notified clients that their accounts were hacked earlier in the process which is bad for Deloitte’s pocketbooks.
The Guardian also stated that as soon as they figured out that they were hacked that they notified government regulators.
Deloitte in a statement said that only a small fraction of their clients have been impacted which to me is confusing. If your whole email server was breached by hackers, how do you know that only a small fraction were impacted? Also, why would you say that only a small fraction of your clients were impacted if you know there could be further legal implications.
What if more clients are impacted, then you’ll just look like an incompetent steward of important information. Not only did you not know that you were hacked for 6 months straight, but you also didn’t know what the complete impact of the hack was. Therefore, you didn’t notify all the clients you should have which leaves you on the hook for more financial damages. Additionally the more incompetent you seem, the more work you are going to lose as a result.
Another funny thing that the Guardian points out is that Deloittes is a huge cyber security consultant. They also had some good quotes from Deloitte’s website such as:
“Cyber risk is more than a technology or security issue, it is a business risk,”
Another good quote from their site stated the following:
“While today’s fast-paced innovation enables strategic advantage, it also exposes businesses to potential cyber-attack. Embedding best practice cyber behaviours help our clients to minimize the impact on business.”
Those are some great quotes that would make you think that Deloitte was a competent cyber security consultant, but it appears like the contrary is true since they didn’t even implement two step authentication on their email servers.
Additionally Deloitte states that they have a cyber intelligence center that monitors threats around the clock. Well apparently when it was monitoring threats it forgot to look at its own firm which one might say is the ultimate threat to a cyber intelligence center. How can a cyber intelligence center be successful if the firm it is funded by goes under due to a lack of security.
In conclusion, Deloitte had another record year of revenue in 2017 with $38.8 billion in revenue, but that record growth seems in jeopardy with this breach. Many clients will lose confidence in Deloitte’s ability to protect their sensitive data. Deloitte’s clients might take their business elsewhere to have a better assurance of security. One of the most important parts of being an auditor is being able to keep private data private to make sure that no one can get an edge and make financial gain from non public information. Deloitte will also no doubt lose some of their cyber security consulting clients as they now look like they have no idea what to do from a cyber security perspective. It will be hard for them to go into client proposals and speak to why a company should hire them in light of this huge breach.
Update on Deloitte Cyber Attack
350 Deloitte Clients Impacted
Since the first publication of this story Guardian has broken some more news. There is new information that over 350 of Deloitte’s clients were potentially impacted by the breach.
Some of the clients that might have been impacted are government institutions.
Some of these institutions are U.S. Postal Service, Fannie Mae, Freddie Mac, U.S Department of State, Department of Defense and Department of Homeland Security.
There is also a report that one of the hackers that infiltrated Deloitte catfished a Deloitte user that had superuser access to Deloitte’s email servers
New York Attorney General Investigates Deloitte
Another report that has been released is that Deloitte is currently being investigated by the New York Attorney General. Deloitte has come out and said that this is a routine investigation into the cyber attack and that there is nothing to worry about.