Deloitte, the biggiest of the Big 4, has joined the ranks of the hacked. This morning, The Guardian reported that the firm was the latest massive organization to have suffered a cyberattack, and that confidential client information was the target. To make matters worse, Deloitte failed to notice the breach for months. And to add a little insult to injury:
The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.
The account required only a single password and did not have “two-step“ verification, sources said.
Oh, boy. That’s embarrassing. That’s right up there with Equifax’s bumbling of their own security.
The Guardian report has vague details, the kind that are satisfying but still unfulfilling:
The breach is believed to have been US-focused and was regarded as so sensitive that only a handful of Deloitte’s most senior partners and lawyers were informed.
The Guardian has been told the internal inquiry into how this happened has been codenamed “Windham”. It has involved specialists trying to map out exactly where the hackers went by analysing the electronic trail of the searches that were made.
The team investigating the hack is understood to have been working out of the firm’s offices in Rosslyn, Virginia, where analysts have been reviewing potentially compromised documents for six months.
It has yet to establish whether a lone wolf, business rivals or state-sponsored hackers were responsible.
In my imagination, one of the other Big 4 firms created a slush fund to pay for the operation. Remember that cabal of Deloitte spies that was reported on late last year? What if this is revenge? Don’t dismiss the possibility!
Anyway, the backdrop of all this, of course, is that Deloitte markets itself as an expert in cybersecurity. The most sophisticated companies in the world ask Deloitte for help safeguarding their stuff and now Deloitte has been exposed for its dodgy security. A firm spokesman told The Guardian that it has contacted “the very few clients impacted and notified governmental authorities and regulators.”
If I were a client of Deloitte, I’d be…unconvinced? It always seems like when a scandal hits a huge company, they play it down, only to discover a week or two later that the bad event was worse than they thought. If a professional services firm suffers a breach because someone failed to use two-factor authentication, I think a fair number of people would question everything they had to say about the situation.