As one of the four largest accounting firms in the world, Deloitte’s name comes with people’s expectations with regard to security. Data breaches are not something that they should be associated with, and definitely not something that they will take very lightly.
However, the firm is now facing a PR nightmare after it has been revealed that hackers were able to gain access to information from their major corporate and government clients in the U.S. What’s worse is that the breach was discovered by systems administrators as early as March of this year, but kept a secret by Deloitte.
Major Data Breach Due to Preventable Security Lapse
For a large accounting firm like Deloitte, which deals with sensitive data from major corporations and the U.S. government itself, it is customary for people to think that a sophisticated hack from a computer genius is responsible, or at least an inside job. A firm as large as Deloitte should have rock-solid, airtight cyber security. And in a way, yes they do have state of the art security and most likely enforce strict rules and regulations designed to prevent data breaches. But sadly, this breach seems to have occurred because Deloitte did not employ something as simple as 2-factor authentication.
The Weakest Link
According to investigators, the hacker (or hackers) did not employ any sophisticated tools or strategy to gain access to Deloitte’s servers. In fact, they were sloppy enough to leave an electronic trail that shows what they were targeting and how they managed to get in: they were able to gain access to an administrator of the firm’s email accounts.
Details are sketchy as of now, but it does not matter how tight security is at the firm if one of the administrators were not careful about their own access. If their account is compromised, the hackers gain access to everything. Something as simple as turning on 2-factor authentication for their own email address could have prevented the breach.
Who is Affected in the Breach
Deloitte is trying to downplay the data breach, insisting that only a small fraction of their clients are affected. Their investigation is being kept under wraps, but the media has reported that six major clients have already been notified that their data has been compromised. These data include sensitive (and dangerous) information such as IP addresses, passwords and usernames, and even health information.
Considering that it was an administrator’s account used to gain access, it is hard to believe that the the breach is small enough to be of no consequence to all of Deloitte’s clients. To get an idea of the scope of the hack, the firm reportedly stores emails from more than 244,000 staff members on Microsoft’s Azure Cloud servers, all of which were theoretically laid bare to the hacker.
Deloitte’s reputation is suffering right now from the breach, especially since they run a “CyberIntelligence Centre” that frequently advises clients on cyber security, and were named as the best cybersecurity consultant in the world by research firm Gertner in 2012. It would be really embarassing for a firm that doles out cybersecurity advice if one of their administrators doesn’t even have the good sense to use 2-factor authentication.
This case can be definitely included into our top 10 cyber attacks list.