Thought leadership. threat analysis, news and alerts.
Major Accounting Firm Deloitte Admits It Suffered Cyber Attack
Deloitte, one of the world’s “big four” accountancy firms, admitted that it suffered a cyber attack. The company, however, downplayed the cyber attack saying that "only very few clients were impacted" and "no disruption" to client businesses happened.
Deloitte’s clients include 80% of the Fortune 500 companies and more than 6,000 private and middle market companies.
British news outlet The Guardian and cyber security journalist Brian Krebs have come out with a different take on Deloitte’s cyber attack.
Sources told the British news outlet that an estimated 5 million emails have been accessed by the hackers in the Deloitte cyber attack. A source close to the Deloitte cyber attack investigation, meanwhile, told Krebs that the Deloitte hacking incident involved the compromise of all administrator accounts at the company as well as the company’s entire internal email system.
“In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information,” Nick Hopkins of The Guardian wrote. “Some emails had attachments with sensitive security and design details.”
The Guardian reported that Deloitte discovered the hack in March of this year but the hackers may have had access to the company’s systems since October or November 2016. This hacking period was confirmed by Krebs who said that the Deloitte hacking dates back to at least the fall of 2016.
“Deloitte has sought to downplay the incident, saying it impacted ‘very few’ clients,” Brian Krebs wrote. “But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.”
“As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators,” Deloitte said in a statement. “The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.
A source told Krebs that Deloitte “does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.”
Cause of the Cyber Attack
Sometime in October 2016, Deloitte may have sense that something was wrong as the company sent out an email to all its employees in the US calling for a mandatory password reset. The notice includes an advice to pick complex passwords and a warning that employees who fail to change their passwords or personal identification numbers (PINs) by Oct. 17, 2016 wouldn’t be able to access email or other Deloitte applications.
According to The Guardian, Deloitte’s global email server was compromised through an “administrator’s account” – an account that has unrestricted access to all aspects of the email server. The administrator’s account required only a single password and didn’t have 2-step verification, sources of The Guardian said.
By relying only on a password – single factor authentication, Deloitte’s email system became highly vulnerable to cyber attack.
Hackers nowadays find is easy to hack emails using only a single factor of authentication or a password due to the following reasons:
Prior to the massive hack at Equifax where personal identifiable information like names, Social Security numbers, birth dates, addresses of 143 million Americans, 100,000 Canadians and 400,000 UK residents were stolen, Equifax was a victim of an earlier hacking incident.
On May 15 of this year, the Counsel for TALX Corporation – a wholly owned subsidiary of Equifax – informed the Attorney General of New Hampshire about a hacking incident that harvested W-2 tax forms of the employees of the corporate clients of TALX. According to the Counsel for TALX, hackers gained access to the website of TALX and harvested W-2 tax forms of customers by successfully answering personal questions used to reset “PlNs” or passwords to access the website.
“Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected,” the Counsel for TALX said.
“It’s pretty unbelievable that a company like Equifax would only protect such sensitive data with just a PIN,” Avivah Litan, a fraud analyst with Gartner, told Krebs, in reaction to the TALX-Equifax data breach. “That’s so 1990s.”
What is a 2-Step Verification
Many companies like Google, Facebook and Apple have adopted the 2-step verification, also known as two-factor authentication.
The 2-step verification is one of the security measures to help keep bad guys out. An example of the 2-step verification is that of Gmail where you'll be asked to enter your password as usual. In addition to the password, you'll be asked for something else. A code will be sent to your smartphone via text, voice call or mobile app. You can sign in using this code. You can also sign in using a USB security key – a small device that connects to your computer.
Can the 2-step verification totally keep the bad guys away? The two-factor authentication offers more protection than logging into an email account without it. This added layer of security can stop certain group of hackers. It can’t, however, stop other sophisticated cyber attacks.
The USB security key is considered as more secure compared to the code sent via smartphone. There’s, however, the danger of this device being lost or stolen. Cyber criminals, in the past, have infected mobile devices to steal 2-step verification security codes.
Your organization’s entire internal email system could be full of sensitive information. Protecting your company’s email system goes beyond a password – single factor authentication. Email security also goes beyond the two-factor authentication.
Contact us today if you need further protection for your organization’s internal email system.
Steve E. Driz, I.S.P., ITCP