Deloitte, one of the “big four” global accounting firms, admitted Monday it fell victim to a cyber attack ,but downplayed the incident saying it only affected a few of its high profile clients.
Details around the incident are hazy but according to The Guardian, which broke the news Monday morning, attackers potentially accessed email addresses, usernames, passwords, and IP addresses belonging to an unknown number of Deloitte clients.
The Guardian, citing sources at the company, claims attackers may have had access to Deloitte’s systems as far back as October or November 2016. The British newspaper claims the firm reportedly discovered the hack in March.
Deloitte has 80 U.S. offices and hundreds more globally; the company, followed by firms PricewaterhouseCoopers, Ernst and Young, and KPMG, is among the world’s highest grossing accounting firms. The company has a handful of big name clients, included Metlife, Berkshire Hathaway, Microsoft, GM, and Boeing.
In a statement provided to Threatpost Deloitte said that very few of its clients were affected by the attack.
“No disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers,” a spokeswoman told the paper.
The company says it initiated and has since concluded a review of the incident, contacted governmental authorities, and contacted the clients hit by the incident.
“Deloitte’s response to the cyber incident included the following:
- Implementing its comprehensive security protocol and initiating an intensive and thorough review which included mobilizing a team of cyber-security and confidentiality experts inside and outside of Deloitte;
- Contacting governmental authorities immediately after it became aware of the incident; and,
- Contacting each of the very few clients impacted
The attacker accessed data from an email platform. The review of that platform is complete. Importantly, the review enabled us to understand precisely what information was at risk and what the hacker actually did and to determine that: · Only very few clients were impacted
- No disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers
Deloitte remains deeply committed to ensuring that its cyber-security defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cyber security,” the statement reads.
According to reports, attackers managed to compromise Deloitte’s global email server via an admin account that had one password and no two-factor authentication. The Guardian claims the email platform, which the attacker seemingly had unfettered access to, was hosted on Microsoft’s Azure cloud service. The report maintains the breach is primarily “US-focused.” While no clients are named, some emails included attachments with “sensitive security and design details,” the paper said.
If The Guardian’s details of report are correct, experts say the breach could have been easily preventable.
“The fact that a Deloitte administrator account was accessible without multi-factor authentication is inexcusable. To make matters worse, it appears that no one at Deloitte noticed suspicious account activity for months,” Willis McDonald a Threat Research Manager at Core Security said Monday afternoon, “The effects of an email breach at Deloitte could have dire consequences due to the sensitive nature surrounding the auditing of clients.”
On top of that if the attackers were in Deloitte’s the damage could already be done, McDonald said.
“With months of access to sensitive communiques an attacker could have the keys to the kingdom of many large entities.”
*Photo via edwinvanbuuringen‘s Flickr photostream, Creative Commons