Please ensure Javascript is enabled for purposes of website accessibility
September 24, 2023

Data Breach at Deloitte Hitting Too Close to Home for Accountants

data breach deloitte cyber attack data breach resize

My, my. So many data breaches to talk about, it’s hard to know where to start. Caleb has already been keeping you up to date with the latest on some of the recent hacks but let’s dig in a little more about one breach in particular.

Uh oh, Deloitte

We learn time, and time again, that big firms screw up (coughAndersencough) and that’s why we enjoy reading the PCAOB reports every year. No one really pays too much mind to the PCAOB audit findings outside the industry professionals  but when you start to herald “data breach” even the non-accountants’ ears perk up to listen, and that’s not a good thing.

One of our own, beloved Big 4 made data breach headlines at the end of September. It’s more than a little embarrassing for a cybersecurity consulting expert. When Caleb shared the news last week, he predicted that:

when a scandal hits a huge company, they play it down, only to discover a week or two later that the bad event was worse than they thought.

I’d say that’s proving accurate as time passes. The initial reports seem to have downplayed the incident, saying it only had impacted a handful of clients. While it may be too soon to know the full extent of the breach (heck, I’m sure Deloitte doesn’t know for certain), the internet gossip on the matter indicates it’s probably going to become appalling as time goes on.

For instance, this KrebsOnSecurity article references a firm-wide password reset request that went out last October that seems like too much of a coincidence. And his sources claim that Deloitte may not “know exactly how much total data was taken.” The article goes on:

The source told KrebsOnSecurity they were coming forward with information about the breach because, “I think it’s unfortunate how we have handled this and swept it under the rug. It wasn’t a small amount of emails like reported. They accessed the entire email database and all admin accounts. But we never notified our advisory clients or our cyber intel clients.”

“Cyber intel” refers to Deloitte’s Cyber Intelligence Centre, which provides 24/7 “business-focused operational security” to a number of big companies, including CSAA Insurance, FedEx, Invesco, and St. Joseph’s Healthcare System, among others.

This same source said forensic investigators identified several gigabytes of data being exfiltrated to a server in the United Kingdom. The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.

I can’t corroborate the claims made by this anonymous source, so it’s just internet gossip at this point. But, if there is even a shred of truth behind it, I’m interested to see if anyone has the guts to go on the record about it. I don’t think whistleblower rules apply on this one, unfortunately.

Standard foot-dragging

The fear of going public with these situations causes people to avoid ripping off the band-aid and tugging one hair out at a time instead. But, that’s not really unusual, just look at Yahoo, who after four years was finally willing to admit on Tuesday, according to Reuters, that “all 3 billion accounts were compromised in the 2013 breach.” Another prime example, Forbes says that Equifax sat on their breach information for over a month before spilling the beans.

Even our good-ol’ SEC didn’t want to tell people about vulnerabilities in the EDGAR system that caused hackers to get access to nonpublic information about issuers (although, I wouldn’t be surprised if the SEC actually didn’t know until this August.) Per the WSJ:

The SEC disclosed in September that EDGAR was hacked in 2016. The SEC didn’t realize until August that information gleaned from the intrusion may have allowed hackers to trade illegally, Mr. Clayton said last month.

Fair warning

In Deloitte’s case, it may stem from lax password controls such that “account access authentication [at Deloitte] simply required a single password and did not have a “two-step” verification.” Which again, is so elementary when it comes to internal control it even comes with a juice box.

But, hey, I did warn you this might happen (okay, maybe it was Verizon in their 2017 Data Breaches Investigations Report), but still, the prophecy that this would be the year of cyber espionage is coming to fruition. Does this ring a bell:

In sum, here are the recommendations for financial services firms… ‘Taunt them a second time—Use two-factor or multi-factor authentication…’

Those RSA tokens aren’t just for show, and they can’t always protect you if an administrator account is compromised.

But, at the end of the day, what’s the consequence for Deloitte? A PR nightmare and maybe some fines? A congressional hearing? Lost clients and revenue? I have a feeling, not much. And, while EY may get roped into the Equifax debacle over internal controls, who can we point to for Deloitte’s current mess? Who issues a SOC 2 over Deloitte’s systems? Anyone?

Image: Photo by William Iven on Unsplash

Latest Accounting Jobs--Apply Now:

Have something to add to this story? Give us a shout by email, Twitter, or text/call the tipline at 202-505-8885. As always, all tips are anonymous.

Comments are closed.

Related articles

Woman wearing a dunce cap writing I WILL NOT on a concrete wall

Look What PwC Made the Australian Government Have to Do

The Australian government released exposure draft legislation yesterday in response to “the PwC matter” and the funniest part is the special email they made to receive comments: [email protected]. Not ConsultingReponse or Sept23TaxReform, specifically PwCResponse. In four separate exposure drafts that amend the Taxation Administration Act 1953 (TAA) and/or the Tax Agent Services Act 2009 (TASA), […]

Upset stressed woman holding cellphone disgusted shocked with message she received isolated grey background. Funny looking human face expression emotion feeling reaction life perception body language

6 Ways Email is Secretly Destroying Your Accounting Firm

Email: The word itself sounds innocent, doesn’t it? Kind of like “snail mail,” but faster, sleeker, and without the slimy trail. But don’t be fooled—email is secretly a sinister beast, hiding in the shadows as it plots to destroy businesses—including your accounting firm. If your accounting firm still relies heavily on email for client communication […]