My, my. So many data breaches to talk about, it’s hard to know where to start. Caleb has already been keeping you up to date with the latest on some of the recent hacks but let’s dig in a little more about one breach in particular.
Uh oh, Deloitte
We learn time, and time again, that big firms screw up (coughAndersencough) and that’s why we enjoy reading the PCAOB reports every year. No one really pays too much mind to the PCAOB audit findings outside the industry professionals but when you start to herald “data breach” even the non-accountants’ ears perk up to listen, and that’s not a good thing.
One of our own, beloved Big 4 made data breach headlines at the end of September. It’s more than a little embarrassing for a cybersecurity consulting expert. When Caleb shared the news last week, he predicted that:
when a scandal hits a huge company, they play it down, only to discover a week or two later that the bad event was worse than they thought.
I’d say that’s proving accurate as time passes. The initial reports seem to have downplayed the incident, saying it only had impacted a handful of clients. While it may be too soon to know the full extent of the breach (heck, I’m sure Deloitte doesn’t know for certain), the internet gossip on the matter indicates it’s probably going to become appalling as time goes on.
For instance, this KrebsOnSecurity article references a firm-wide password reset request that went out last October that seems like too much of a coincidence. And his sources claim that Deloitte may not “know exactly how much total data was taken.” The article goes on:
The source told KrebsOnSecurity they were coming forward with information about the breach because, “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”
“Cyber intel” refers to Deloitte’s Cyber Intelligence Centre, which provides 24/7 “business-focused operational security” to a number of big companies, including CSAA Insurance, FedEx, Invesco, and St. Joseph’s Healthcare System, among others.
This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.
I can’t corroborate the claims made by this anonymous source, so it’s just internet gossip at this point. But, if there is even a shred of truth behind it, I’m interested to see if anyone has the guts to go on the record about it. I don’t think whistleblower rules apply on this one, unfortunately.
The fear of going public with these situations causes people to avoid ripping off the band-aid and tugging one hair out at a time instead. But, that’s not really unusual, just look at Yahoo, who after four years was finally willing to admit on Tuesday, according to Reuters, that “all 3 billion accounts were compromised in the 2013 breach.” Another prime example, Forbes says that Equifax sat on their breach information for over a month before spilling the beans.
Even our good-ol’ SEC didn’t want to tell people about vulnerabilities in the EDGAR system that caused hackers to get access to nonpublic information about issuers (although, I wouldn’t be surprised if the SEC actually didn’t know until this August.) Per the WSJ:
The SEC disclosed in September that EDGAR was hacked in 2016. The SEC didn’t realize until August that information gleaned from the intrusion may have allowed hackers to trade illegally, Mr. Clayton said last month.
In Deloitte’s case, it may stem from lax password controls such that “account access authentication [at Deloitte] simply required a single password and did not have a “two-step” verification.” Which again, is so elementary when it comes to internal control it even comes with a juice box.
But, hey, I did warn you this might happen (okay, maybe it was Verizon in their 2017 Data Breaches Investigations Report), but still, the prophecy that this would be the year of cyber espionage is coming to fruition. Does this ring a bell:
In sum, here are the recommendations for financial services firms… ‘Taunt them a second time—Use two-factor or multi-factor authentication…’
Those RSA tokens aren’t just for show, and they can’t always protect you if an administrator account is compromised.
But, at the end of the day, what’s the consequence for Deloitte? A PR nightmare and maybe some fines? A congressional hearing? Lost clients and revenue? I have a feeling, not much. And, while EY may get roped into the Equifax debacle over internal controls, who can we point to for Deloitte’s current mess? Who issues a SOC 2 over Deloitte’s systems? Anyone?