The Deloitte accounting firm stands as one of the largest private companies in the US, which reported $38.8 billion in revenue last fiscal year which offers tax, auditing, operations consulting, cybersecurity advisory, and merger and acquisition assistance services to large banks, government agencies, and large Fortune 500 multinationals, among others, has been hacked.
Hackers managed to gain access to the Deloitte’s email server through an administrator account that wasn’t secured using two-factor authentication (2FA), (2FA) requires not only a password and username but also something that only, and only, that user has on them. The hackers had unrestricted access to Deloitte’s Microsoft-hosted email mailboxes.
“So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. The hackers were able to obtain usernames, passwords, IP addresses, architectural diagrams for businesses and health information and some emails also had sensitive attachments. Deloitte’s internal review into the incident is ongoing.”
The attack appeared to target the firm’s U.S. operations, was discovered in March and could have begun as early as October 2016
Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft.
What Deloitte Has Said About the Data Breach
On September 25, Deloitte released a statement that included the following points:
- The attacker accessed data from an email platform. The review of that platform is complete.
- Only very few clients were impacted
- No disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers
Also, Deloitte indicated they had contacted governmental authorities immediately after becoming aware of the incident; and said they contacted each of the very few clients impacted.
The company remains “deeply committed to ensuring that our cybersecurity defenses are best in class,” and will “continue to evaluate this matter and take additional steps as required,” the representative said.