Update to who may be affected. On October 10th, 2017, the Guardian is reporting that while Deloitte has only admitted that they have notified six clients, sources are saying that the server that was compromised contained emails for 350 clients, the US Departments of State, Energy, Homeland Security and Defense, The US Postal Service, The National Institutes of Health, Fannie Mae and Freddie Mac, among many others. Deloitte did not deny that any of these clients had information in the system that was hacked, but it says that none of these organizations was “impacted”, whatever that means. They said that the attackers only targeted a small fraction of the emails stored on the platform. The sources who spoke with the Guardian contested these claims. No doubt, to be continued. Link: https://www.theguardian.com/business/2017/oct/10/deloitte-hack-hit-server-containing-emails-from-across-us-government .
Timeline update: Deloitte discovered the breach in March of 2017, but it is believed that hackers had been inside the cybersecurity consulting firm’s systems since the prior October or November, so it took Deloitte about 6 months to discover the breach. They hired the law firm of Hogan Lovells in April to help them investigate and manage the spin and it took another 5 months for the secret to leak out. One assumes that they notified affected customers more quickly than we found out about it.
In what has to be very embarrassing situation, Deloitte was forced to admit that their corporate email was hacked because an administrator didn’t think that using multi-factor authentication was important and corporate policy, apparently, did not require it.
Now Deloitte is paying Hogan Lovells who knows how much money to figure out what data was stolen so that they can notify the appropriate clients.
In addition to emails, the Guardian says that hackers had access to userids and passwords, IP addresses, architectural diagrams for businesses and health information. Some of the emails had attachments with sensitive security and design information.
Apparently Deloitte only told a handful of partners and lawyers about the breach. One can only assume that was to contain the damage. Unfortunately for Deloitte, you cannot keep information like this secret for long.
Deloitte hired Hogan Lovells in April to provide them with advice on a possible cybersecurity incident and the fallout from that. Apparently, you can keep something like this secret for about four or five months.
Deloitte told the Guardian that only a handful of customers were affected; so far, they claim, they have notified 6 customers.
Deloitte’s CyberIntelligence Center provides clients with 24×7 business focused operational security. I wonder if they are their own customer.
In 2012 Deloitte was ranked the number one cyber security consultant in the world (the article says they were ranked the best; that is not correct. They were ranked number one by sales volume).
For them to have to admit that hackers stole confidential client data from their email system because they were not following what is considered industry standard practices….
While they are not saying very much about what happened, apparently an administrator’s password was hacked and because they were not using two factor authentication, that was all that was required for 5 million emails belonging to 240,000 employees were potentially compromised.
Deloitte says that the number of emails compromised was a small fraction of the 5 million number. Is 2 million a small fraction? They are not saying. One has to presume that because they are being very coy with the numbers, the answer must look pretty bad for Deloitte.
Deloitte has the resources to recover from this, even if they lose clients and it costs them a couple hundred million dollars.
For most companies, a breach like this could represent fatal event.
What would this do to your company?
Are you even prepared to respond to an event like this? Deloitte can afford Hogan Lovells billable rate (likely in the $500 an hour range), but can you?
Have you implemented “best commercial cyber security practices”? Implementing two factor authentication for email administrators is probably not “best” commercial cyber security practice, but it is likely considered “average” cyber security practice.
Deloitte wasn’t even doing that good.
How about you?
Information for this post came from the Guardian.