Deloitte to be investigated by Schneiderman over hack

16 October 2017 4 min. read

New York State’s Attorney-General is investigating Deloitte over a cyber-attack reported by the professional services firm last month. In September, Eric Schneiderman launched a similar probe of Equifax – following a potential breach of the data of 143 million Americans – starting a process which saw the firm's stock fall by 16% in one day.

Throughout 2017, large scale cyber-attacks have continued to make global headlines, including the infamous WannaCry ransom attack, which compromised patient data in the UK’s NHS. Such attacks cost businesses an estimated total of $280 billion last year alone. Now, having been a trusted provider of security solutions previously, the world’s largest cyber security consulting provider Deloitte has been rocked by the news that it is being investigated by the New York State Attorney-General’s office, regarding the large-scale hack of the Big Four firm.

The major cybersecurity breach of Deloitte’s cloud-based email storage was reported by the company last month. However, according to sources close to the matter, the initial hacking may have taken place as early as October 2016. The situation subsequently went unnoticed until April, potentially granting the perpetrators a six month window of access to usernames, passwords and personal details of the firm’s clients. Deloitte initially kept the hack internally secret, only informing “a handful” of senior partners and lawyers at Hogan Lovells – brought in to investigate the attack – as well as the six clients the firm knows to have been directly “impacted” by the attack.

The cybersecurity giants were keen to downplay the extent of the damage initially, claiming that information on “very few clients” had been directly compromised throughout announcements regarding the breach. However, according to reports circulating in the UK press, the hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”, with UK newspaper, The Guardian, which first revealed the breach to the public, also reporting claims that the account required only a single password, which did not have “two-step“ verification. Meanwhile, well-respected American security journalist, Brian Krebs, also alleged that it appeared that the hackers transferred or copied a significant amount of that confidential data.

Deloitte to be investigated by Schneiderman over hack

Since then, it has emerged that the server which was entered by cyberattackers contained the emails of an estimated 350 clients, including four US government departments, the United Nations and some of the world’s biggest multinationals. Anonymous sources with knowledge of the hack informed the Guardian that the incident was potentially more widespread than the six Deloitte had previously been prepared to acknowledge. A host of clients allegedly had material that was made vulnerable by the hack. Along with football’s global governing body FIFA; four global banks, three airlines, two multinational car manufacturers, energy giants and big pharmaceutical companies all had emails in the server that was breached.

A number of highly sensitive US governmental entities were also included in that list. The US Departments of State, Energy, Homeland Security and Defence, the US Postal Service, the National Institutes of Health, were all made vulnerable by the hack, along with “Fannie Mae” and “Freddie Mac”, the housing giants that fund and guarantee mortgages in the US. Such is the severity of this particular revelation, that New York’s State Attorney-General, Eric Schneiderman, has announced the launch of a formal investigation into Deloitte.

Previous case

The investigation comes one month after Eric Schneiderman launched a similar probe into a massive cyber security breach at US credit rating agency Equifax that threatened the personal details of up to 143 million Americans. The announcement of Schneiderman’s investigation sent Equifax’s stock into freefall, dropping 16% in what was the largest one-day decline in 16 years. Since then, fresh reports of a second attack in mid-October mean the company continues to struggle to recover – a fate Deloitte will be keen to avoid.

A spokesperson for Mr Schneiderman said he planned to examine Deloitte’s “data breach and its circumstances”, with the probe – first reported by the Wall Street Journal – also seeking to establish if the client information compromised could give client’s competitors an unfair advantage.

A Deloitte spokesman confirmed, “We have received a routine request by letter from the NY office of the attorney-general, which has a mandate to investigate any breaches that may impact New York residents… As we have said, no consumers were affected by this incident. We are, of course, ready to address any questions from the New York attorney-general regarding this incident. As we have stated earlier, this incident was reported to governmental authorities beginning immediately upon learning of the incident.”