Accounting company Deloitte works with large and influential clients across several industry sectors. It’s known to be used by governments, Fortune 500 companies and giant multinational conglomerates. Amongst other services, it offers cybersecurity advice which has previously been ranked the best in the world. This makes today’s report from UK newspaper The Guardian all the more embarrassing.
Deloitte discovered the breach back in March. It set up a dedicated team to investigate the incident but has not previously publicly announced the attack. The company is still unsure of when the attackers gained access to its systems. It’s thought the breach could have been made in October or November 2016.
The attackers obtained full control over Deloitte’s Microsoft-hosted administrator email account. This gave them complete access to the contents of its mailboxes, allowing the theft of confidential emails, documents and contact details linked to the company’s clients. Over 5 million emails were present on the server.
READ NEXT: Small businesses suffer as ransomware epidemic grows
The Guardian said that at least six firms have been contacted privately by Deloitte with information about the breach, including U.S. government departments. However, the company has insisted only a very small number of clients have been impacted. Even after news of the incident broke today, Deloitte has refused to publicly comment on how many people are affected. It has given no concrete indication of the attack’s scale.
At points in its investigation, Deloitte appears to have exhibited concern. It reportedly hired U.S. law firm Hogan Lovells on a “special assignment” to help it navigate through possible legal fallout in the wake of the breach. The company is still assisting Deloitte as it pieces together what the attackers did in the months they had access.
Deloitte’s having to follow a digital breadcrumbs trail to ascertain the movements of the imposters through its Microsoft Azure server. This is difficult and time consuming, which is why Deloitte still knows so little about the incident. It has been unable to ascertain the identity of the attacker or even determine if they were acting alone or as part of a group. Because the hijacked account had such complete control, the attackers were able to move anywhere through the system while leaving minimal tracks.
Deloitte appears to need a measure of its own cybersecurity advice. Its server was compromised because the administrator account required only a single password and did not have two-step verification enabled. The company hasn’t revealed how it found the attack or commented on the lack of security around its email account. It told the media it’s implementing a “comprehensive security protocol” that includes a “thorough review” of the circumstances surrounding the breach.
