Deloitte, a source of cyber-security advice - hacked, emails accessed

News by SC Staff

Deloitte, one of the largest private US companies and a leading source of cyber-security advice for corporates, has had it email server hacked using legit credentials, client details revealed, attackers on system for months and no 2FA.

Five years ago Gartner ranked the big-four accounting firm Deloitte as number one in cyber-security, but today it has been reported that usernames, passwords and personal details of some of its leading clients have been obtained by hackers.

The Guardian newspaper reports that the London registered company with global headquarters in New York, had its email system hacked, possibly as long ago as October or November 2016, but it discovered the breach in March this year. With a reported US$ 37 billion (£27.3 billion) revenue last year, it is one of the largest private firms in the US, and as well as accountancy services, provides “high-end cyber-security advice to some of the world's biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies,” according to the report which notes that at least six major clients have been informed that their data is impacted.

All emails to and from Deloitte's 244,000 staff are stored in an Azure cloud service, provided by Microsoft and it appears that an “administrator's account” was used to give the hackers unrestricted “access to all areas.”

According to the report, on 27 April Deloitte  hired US law firm Hogan Lovells on “special assignment” to review what it called “a possible cyber-security incident” with the investigation subsequently codenamed “Windham.”

The Guardian quotes a spokesperson saying,  “In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cyber-security and confidentiality experts inside and outside of Deloitte. As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators,” adding “.... no disruption has occurred to client businesses, to Deloitte's ability to continue to serve clients, or to consumers.”

Only a small fraction of the reported five million emails at risk are reported to have actually been accessed.

Industry commentators contacting SC include Dr Jamie Graves, CEO, ZoneFox who noted how, “This attack is another clear example that anyone can be affected by cybercriminals - even those whose speciality is to stop them. It's discomforting to see that even an experienced firm as Deloitte have fallen victim to attackers supposedly using an administrative password and account to access their Azure storage. This has to act as a wake-up call for the industry to pursue a more proactive, threat-hunting approach to their cyber-security. “

In response to the suggestion that the account only needed a password and did not use two factor verification, Graves added, “Passwords still have a hugely important role to play in securing information, but they have to be combined with other layers of security within a two or multi-factor approach. The bottom line is that data visibility has to be in place for an effective, modern security structure; firms need to know not just who is accessing their data, but where it's being accessed from, what has specifically been looked at and where the data (or copies of it) is residing, while stationary and in transit.

“Extra layers - such as IP listing and user behaviour analytics - would have helped Deloitte identify that outside agents were using the administrative account; certainly reducing the time the attackers spent within the network before being noticed. Months of access combined with six months of behind-the-scenes work before the attack has come to general attention would certainly fall foul of GDPR once it goes live and does little to generate sympathy for the firm. It's a worthy tactic to try and trace the cyber-footsteps of the attackers now, but a more proactive approach, utilising machine learning and augmented or artificial intelligence, will ensure firms can identify threats before they can create a major security concern.”

Tony Pepper, co-founder and CEO of Egress agrees noting, "Deloitte is a ripe target because of the company's position right at the top of the corporate food chain. They work with some of the biggest organisations on earth, at the very highest level, which is like a red rag to a bull for hackers.

"Whilst it hasn't been confirmed exactly what was stolen, compromised mail servers can be a good source of sensitive information for an attacker, allowing them to siphon off message content and attachments. This is why multi-factor access control such as two-factor authentication is important, especially for admins. It makes it much harder to gain illicit access in the first place, and provides a warning if someone is trying to log in without your knowledge.

“Additionally, if staff's stored emails were encrypted, which arguably most sensitive content should be, then it would be impossible to decrypt each one, even with administrator access. However, if they are not and the attacker has enough time on target, hacked mail servers can provide a wealth of information."

Javvad Malik, security advocate at AlienVault, adds: "The unfortunate incident demonstrates that even the largest of organisations can sometimes overlook fundamental security practices such as not enabling two-factor authentication on administrative accounts."

"It also highlights the importance of ongoing monitoring and threat detection so that any malicious activity can be detected and responded to in a timely manner."

Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, is more critical in his comments saying,  “Every day that I read another major organisation has lost data due to misconfiguration, patches not implemented or user password loss I despair at our lack of appropriate IT security. It's shocking if a system was set up with a simple password allowing access to major business information.

“It should be imperative that users have least privilege access, admins should not be able to access business information, everyone should deploy multi-factor authentication, and users and traffic should be measured for unusual patterns – constant vigilance is key. You have to be paranoid because cyber-criminals ARE out to get you”.

Rob Wilkinson, corporate security specialist at internet security company Smoothwall is equally harsh in his criticism, saying companies should practice what they preach:  “When an organisation that openly emphasises cyber-security as paramount to any business, is then itself found to be the victim of a major cyber-breach – as with the case of Deloitte – it asks some very serious questions of a company which may have been leaking highly-sensitive information since October last year. For a company reporting a near US$40 billion revenue ... what's clear is that not enough of that money has been poured into protecting names, emails and plans of some of its biggest clients in the case of a hack. For Deloitte, this could lead to serious financial and reputational damage, more so than any other company – it's clearly not practising what it preaches.

“While you would assume Deloitte has the appropriate monitoring, encryption and threat detection in place, it's clearly not enough to protect them from this type of “access all areas” hack.”

Sam Curry, CSO for Cybereason notes, “...if access was gained through an “administrator's account” that, in theory, gave hackers unrestricted “access to all areas' of the network, then this is a wake-up call for corporations to at a minimum have two-step authentication in place as opposed to a single password. Keep in the mind, thousands of other companies ....have been breached but have thus far managed to stay out of the headlines. Trust me, other breaches have occurred. 

“I urge all corporations to immediately build out a hunting practice and to improve their security hygiene and their ability stop attackers by deploying a strategy where they can disrupt the hackers early in the process by likewise getting it right once and being able to respond, preventing attackers from setting up beachheads and back doors. Of course, garden variety threats need to be able to be detected, but the sophisticated threats need to be found and stopped earlier as well. Corporations also need a professional, modern CIRC, a real strategy for segmentation and good hygiene and to elevate the way security is managed and operated.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews