Largest cybersecurity consultant of the world rocked by cyber-attack

02 October 2017 Consultancy.uk

The globe’s largest cybersecurity consultant, Deloitte, has been publicly embarrassed following the revelation that it has itself been victim of a major cybersecurity breach. According to sources close to the matter, hackers may have accessed usernames, passwords and personal details of the firm’s clients, in an attack that went unnoticed for months.

New York headquartered professional services firm Deloitte are presently the world’s largest cybersecurity consulting firm, according to a recent analysis. The advisory heavyweights brought in around $2.85 billion in revenue via its security consulting operations over the course of the past year – increasing by 14% over that same spell. As of late September this year however, news has emerged that in that very period, the company had itself been the victim of a sustained cyber-attack, which potentially went unnoticed for a full six month period.

Deloitte’s IT systems, which are supplied by among others Microsoft, through its Azure cloud – an offering which Microsoft is currently exploring the possibilities of blockchain technology to help secure – were discovered to have been breached by hackers in March this year. Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service. Deloitte initially kept the hack internally secret, only informing “a handful” of senior partners and lawyers, as well as the six clients the firm knows to have been directly “impacted” by the attack. The firm believes the initial invasion took place in October 2016, giving the perpetrators access to up to 5 million sensitive company emails and documents from across all the sectors in which Deloitte operates. Clients of the prestigious Big Four firm, which reported a record $37 billion (£27.3 billion) revenue last year, include multinational companies, financial services institutions, media enterprises, pharmaceutical firms and government agencies.

Deloitte’s internal review into the incident is ongoing – the accounting and consulting firm hired major US law firm Hogan Lovells in April to help investigate the breach. The group and its lawyers are working to establish the source of the hack, by tracing the steps of the attackers, with little said to still be known on the matter. However, according to reports circulating in the UK press, the hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”. Despite referring to the process as a “sophisticated hack” meanwhile, the Guardian, which first revealed the breach to the public, also reported sources having stated that the account required only a single password, and did not have “two-step“ verification.

Well-respected American security journalist, Brian Krebs, also reported that sources close to Deloitte had said that hackers accessed the entirety of the firm's internal email database, and all administrative accounts. Worse still for Deloitte, it appears that the hackers transferred or copied a significant amount of that confidential data. Krebs said, “…forensic investigators identified several gigabytes of data being ex-filtrated to a server in the United Kingdom." The source further said the hackers had free reign in the network for “a long time” and that the company still does not know exactly how much total data was taken.

“Very few clients” affected

In a statement, Deloitte said that it contacted government authorities immediately after it became aware of the incident, and notified each of the “very few clients” that had been affected. In addition, “comprehensive security protocol” was implemented after the incident was discovered. Several European members firms, including the UK and the Netherlands, have in addition followed with statements that only US clients were impacted.

As the news broke, meanwhile, Deloitte launched several reports across the globe on potential damages businesses face as a result of cybercrime. Along with having placed at itself at the forefront of cyber-security research, the company's website will have caused further blushes in the context of revelations, boasting that its “Cyber Intelligence Centre integrates state-of-the-art technology with industry insight to provide round-the-clock business-focused operational security [to clients].”

Deloitte is not the only firm to have fallen victim to a high-profile cybersecurity breach, however. Equifax also announced in September that an incident had allowed hackers to gain access to personal information for about 143 million Americans, along with a large number of Canadian and as many as 400,000 British individuals – spurring the FBI and the US Federal Trade Commission to launch formal investigations. Since, at least 50 class action lawsuits have been filed against the company – issuing a stark warning for firms in the future to pay better attention to detail when regarding their exact cyber-security measures.